locked
WSUS clients in Azure not auto install/reboot at GPO configured time RRS feed

  • Question

  • Hi all,

    We have WSUS deployed on prem and extended via VPN to our Azure VMs.  Connectivity is perfect, updates are being downloaded by both on prem and Azure VMs, everything is checking in regularly.

    The on prem servers and Azure VMs have the same GPO settings applied.

    e.g.

    Windows Components/Windows Update
    Policy	Setting	Comment
    Always automatically restart at the scheduled time	Enabled	
    The restart timer will give users
    this much time to save their
    work (minutes): 	15
    Policy	Setting	Comment
    Automatic Updates detection frequency	Enabled	
    Check for updates at the following
    interval (hours): 	6
    Policy	Setting	Comment
    Configure Automatic Updates	Enabled	
    Configure automatic updating:	4 - Auto download and schedule the install
    The following settings are only required and applicable if 4 is selected.
    Install during automatic maintenance	Disabled
    Scheduled install day: 	1 - Every Tuesday
    Scheduled install time:	04:00
    Policy	Setting	Comment
    Do not connect to any Windows Update Internet locations	Enabled	
    Do not display 'Install Updates and Shut Down' option in Shut Down Windows dialog box	Enabled	
    Enable client-side targeting	Enabled	
    Target group name for this computer	Dev
    Policy	Setting	Comment
    No auto-restart with logged on users for scheduled automatic updates installations	Disabled	
    Specify intranet Microsoft update service location	Enabled	
    Set the intranet update service for detecting updates:	http://ourWSUSserver.domain.int:8530
    Set the intranet statistics server:	http://ourWSUSserver.domain.int:8530
    (example: http://IntranetUpd01)
    Policy	Setting	Comment
    Turn off the upgrade to the latest version of Windows through Windows Update	Enabled	

    The on prem servers are automatically installing and rebooting on their configured day and time when updates are approved.

    The Azure VMs are not.  There's nothing in the WindowsUpdate.log regarding failures to install or reboot  nor any errors entries for the WindowsUpdateClient source in the System log. 

    There are informational  logs in System before the appointing install/reboot time that show the WU client has patches downloaded and ready to install:

    Log Name:      System
    Source:        Microsoft-Windows-WindowsUpdateClient
    Date:          7/18/2016 6:29:52 PM
    Event ID:      17
    Task Category: Automatic Updates
    Level:         Information
    Keywords:      Success,Download
    User:          SYSTEM
    Computer:      ServerName.domain.int
    Description:
    Installation Ready: The following updates are downloaded and ready for installation: 
    - Security Update for Microsoft .NET Framework 4.5.2 on Windows 8.1 and Windows Server 2012 R2 for x64 (KB3163291)
    - Security Update for Microsoft .NET Framework 3.5 on Windows 8.1 and Windows Server 2012 R2 for x64 (KB3163247)
    - Security Update for Windows Server 2012 R2 (KB3170455)
    - Definition Update for Microsoft Endpoint Protection - KB2461484 (Definition 1.225.1834.0)
    - Security Update for Windows Server 2012 R2 (KB3172727)
    - Security Update for Windows Server 2012 R2 (KB3168965)
    - Cumulative Security Update for Internet Explorer 11 for Windows Server 2012 R2 (KB3170106)
    - Security Update for Windows Server 2012 R2 (KB3170377)
    - Security Update for Windows Server 2012 R2 (KB3169704)
    


    The only difference between our on prem devices and Azure VMs is that in WSUS we have definition updates for System Center Endpoint Protection configured to automatically approve for install.  I see these being successfully installed:

    Log Name:      System
    Source:        Microsoft-Windows-WindowsUpdateClient
    Date:          7/18/2016 6:29:57 PM
    Event ID:      43
    Task Category: Windows Update Agent
    Level:         Information
    Keywords:      Started,Installation
    User:          SYSTEM
    Computer:      Servername.domain.int
    Description:
    Installation Started: Windows has started installing the following update: Definition Update for Microsoft Endpoint Protection - KB2461484 (Definition 1.225.1834.0)
    
    Log Name:      System
    Source:        Microsoft-Windows-WindowsUpdateClient
    Date:          7/18/2016 6:31:05 PM
    Event ID:      19
    Task Category: Windows Update Agent
    Level:         Information
    Keywords:      Success,Installation
    User:          SYSTEM
    Computer:      Servername.domain.int
    Description:
    Installation Successful: Windows successfully installed the following update: Definition Update for Microsoft Endpoint Protection - KB2461484 (Definition 1.225.1834.0)
    

    Is having these updates being automatically approved and installed "confusing" the WU client so that it doesn't install the rest of the updates at its configured install day/time?

    I know there is a GPO setting for "Allow Automatic Updates immediate installation" which I currently have an undefined.  Does this need to be enabled to allow the SCEP updates to install as they're approved while the remaining updates will install/reboot at the configured day/time?

    Any other ideas on what to check?

    Tuesday, July 19, 2016 5:13 PM

Answers

  • I found out the culprit is probably the Iaas Antimalware VM extension (SCEP).

    I opened a case with MSFT.

    Ironically, automatic SCEP definition updates install just fine from the wsus server, but OS updates did not.
    Sunday, August 21, 2016 3:16 PM

All replies

  • Hi KolbyJ,

    >Is having these updates being automatically approved and installed "confusing" the WU client so that it doesn't install the rest of the updates at its configured install day/time?

    No, automatically approve updates on WSUS won't affect clients' AU behavior. On WSUS server, approve updates for install only means WSUS allow clients to install. When to install is still decided by clients' AU options.

    >There are informational  logs in System before the appointing install/reboot time that show the WU client has patches downloaded and ready to install:

    Then what is the windows update log after the scheduled installation time?

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Wednesday, July 20, 2016 8:01 AM
  • We are experiencing the exact same thing. Immediately after deployment from Azure the Iaas ARM VM's (latest Azure image of July 16) are configured to use the local wsus server (registry using script extension), and update every day at 3AM. They see the needed updates just fine, and I can install them manually, but they never install automatically. I do not see any irregularities in the updates log, it just never seems to trigger the autoupdate at all, but the Antimalware Definition updates get installed a few times a day without any problems.

    Update: It seems that the WU AU Task \Microsoft\Windows\WindowsUpdate\AUScheduledInstall in task scheduler does not become active (it is disabled). If I change ScheduledInstallTime in de policy afterwards, I see this task gets reconfigured to run Once at the selected time.

    I also noted that in the log (see at the bottom of this post for more)I see this entry:
    AU   # Approval type: Scheduled (Policy)
    But I never see a line containing the Install Day and Time as I have seen in other log samples.

    ####

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\windows\WindowsUpdate]
    "WUServer"="http://10.10.10.4:8530"
    "WUStatusServer"="http://10.10.10.4:8530"
    "TargetGroup"="AutoUpdate"
    "TargetGroupEnabled"=dword:1
    "DisableWindowsUpdateAccess"=dword:1
    "DoNotConnectToWindowsUpdateInternetLocations"=dword:1
    "ElevateNonAdmins"=dword:0
    "AcceptTrustedPublisherCerts"=dword:0

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\windows\WindowsUpdate\AU]
    "AUOptions"=dword:4
    "ScheduledInstallDay"=dword:0
    "ScheduledInstallTime"=dword:3
    "UseWUServer"=dword:1
    "AutoInstallMinorUpdates"=dword:1
    "DetectionFrequency"=dword:6
    "DetectionFrequencyEnabled"=dword:1
    "AlwaysAutoRebootAtScheduledTime"=dword:1
    "NoAutoUpdate"=dword:0
    "RebootRelaunchTimeoutEnabled"=dword:0
    "RebootRelaunchTimeout"=dword:1
    "NoAutoRebootWithLoggedOnUsers"=dword:0
    "RebootWarningTimeoutEnabled"=dword:0
    "RebootWarningTimeout"=dword:1
    "RescheduleWaitTimeEnabled"=dword:0
    "RescheduleWaitTime"=dword:1

    2016-07-23 11:42:02:731  872 698 AU ###########  AU: Initializing Automatic Updates  ###########
    2016-07-23 11:42:02:731  872 698 AU AIR Mode is enabled
    2016-07-23 11:42:02:731  872 698 AU Need to reset accelerated install required state
    2016-07-23 11:42:02:731  872 698 AU AIR Mode is disabled
    2016-07-23 11:42:02:731  872 698 AU Accelerate Install required state reset
    2016-07-23 11:42:02:731  872 698 AU   # Policy Driven Provider: http://10.10.10.4:8530
    2016-07-23 11:42:02:731  872 698 AU   # Detection frequency: 6
    2016-07-23 11:42:02:731  872 698 AU   # Target group: AutoUpdate
    2016-07-23 11:42:02:731  872 698 AU   # Approval type: Scheduled (Policy)
    2016-07-23 11:42:02:731  872 698 AU   # Auto-install minor updates: Yes (Policy)
    2016-07-23 11:42:02:731  872 698 AU   # Will interact with non-admins (Non-admins are elevated (User preference))
    2016-07-23 11:42:02:746  872 698 AU WARNING: Failed to get Wu Exemption info from NLM, assuming not exempt, error = 0x80240037
    2016-07-23 11:42:02:746  872 698 AU WARNING: Failed to get Network Cost info from NLM, assuming network is NOT metered, error = 0x80240037
    2016-07-23 11:42:02:746  872 698 AU AU finished delayed initialization
    2016-07-23 11:42:02:762  872 698 AU Currently AUX is enabled - so not show any WU Upgrade notifications.
    2016-07-23 11:42:02:762  872 698 AU WARNING: Failed to get Network Cost info from NLM, assuming network is NOT metered, error = 0x80240037
    2016-07-23 11:42:02:778  872 698 AU WARNING: Failed to get Network Cost info from NLM, assuming network is NOT metered, error = 0x80240037

    • Edited by iisworks Saturday, July 23, 2016 10:15 AM
    Friday, July 22, 2016 8:44 AM
  • Hi KolbyJ,

    Have you got any progress with the issue, feel free to feed back.

    Hi iisworks,

    Also welcome to feed back your progress.

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Thursday, July 28, 2016 9:38 AM
  • I found out the culprit is probably the Iaas Antimalware VM extension (SCEP).

    I opened a case with MSFT.

    Ironically, automatic SCEP definition updates install just fine from the wsus server, but OS updates did not.
    Sunday, August 21, 2016 3:16 PM