locked
Auto Download and Notify WSUS Policy Intermittent RRS feed

  • Question

  • Hello Everyone,

    We have a group policy for WSUS shown below.

    A few servers that apply this group policy we've found have installed the updates and rebooted without anyone logging in to approve the install.

    In the system event logs (event ID 7040) on the servers I can see that the Windows Modules Installer service gets changed from demand start to auto start then a few seconds later from auto to demand. After a few more seconds the service gets changed back again from demand start to auto start.  The installation of the patches happens shortly after.  How can I troubleshoot to find out why these patches installed?  Or who installed them?  There are no event logs for anyone logging in.  I just wasn't sure where to check next.

    Thanks!

    Monday, February 22, 2016 6:50 PM

Answers

  • So it looks like @ 08:16, it wanted to notify someone that it has updataing to do, but there were no suitable logon sessions to perform notification.

    And, @ 09:08, it found somebody logged on and notified them. At this point, the person may not have seen the notification wasn't looking, went for a coffee, whatever. But the agent either got an interactive "proceed", or, a timer expired and so it starting updating.

    once updating starts, the reboot *may* automatically follow, or *may* be able to be deferred, or *may* countdown via timer if no interactive deferral occurs.

    I'd be asking Mr. logged-on-@09:08, a couple of questions...


    Don [doesn't work for MSFT, and they're probably glad about that ;]

    Tuesday, February 23, 2016 8:20 PM

All replies

  • what is the OS version of these computers? (modern OS don't honour all the old settings)

    What time of day, did the updates install? (was it 3am)

    although there may not have been a logon event at the time, was *anybody* logged-in previously and their session was still running? (if an admin was logged-in and did not logoff their session, that "idle" session may have been notified, even if nobody was there to see the notification)


    Don [doesn't work for MSFT, and they're probably glad about that ;]

    Monday, February 22, 2016 8:36 PM
  • All are Windows 2008 Server R2 Enterprise.

    The updates installed on the systems in question all within a half hour or so of each other around 8:30AM.

    It is possible that there were idle sessions but exactly how do idle sessions get notified if no one was using the session (idle, timedout, disconnected etc.)?  

    Thanks,

    Monday, February 22, 2016 9:13 PM
  • depending upon your implementation configuration, RDS/TS sessions might run forever (until the next server restart).

    if your people do "disconnect" instead of "logout", and indefinite session length is permitted, that's what I mean by "idle" - such sessions *may* be notified, even whilst "disconnected" (because the session is still alive/running)

    (this is merely a possibility, I'm sure there are others)

    Since server is WS2008R2, that eliminates the possibility of modern OS features like automatic maintenance, updateorchestrator, etc.

    did you examine the windowsupdate.log or the eventlog\setup (windows updates sometimes get recorded there)


    Don [doesn't work for MSFT, and they're probably glad about that ;]

    Tuesday, February 23, 2016 8:01 AM
  • The setup event logs all show that patches were installed around 30 minutes or so before the systems were rebooted then the setup log shows the patches fully installed (event ID 2)

    The setup log shows the following:

    -Some entries that look valid for the patches that were installed.

    2016-02-22          04:42:58:572       1408       26c         AU          ## START ##  AU: Search for updates

    2016-02-22          04:42:58:572       1408       26c         AU          #########

    2016-02-22          04:42:58:572       1408       26c         AU          <<## SUBMITTED ## AU: Search for updates [CallId = {9C75AAB0-25F2-41CD-8E9A-06B8EB721DE8}]

    2016-02-22          04:42:58:572       1408       b8c         Agent    *************

    2016-02-22          04:42:58:572       1408       b8c         Agent    ** START **  Agent: Finding updates [CallerId = AutomaticUpdates]

    2016-02-22          04:42:58:572       1408       b8c         Agent    *************

    2016-02-22          04:42:58:572       1408       b8c         Agent    ** START **  Agent: Finding updates [CallerId = AutomaticUpdates]

    2016-02-22          04:42:58:572       1408       b8c         Agent    *********

    2016-02-22          04:42:58:572       1408       b8c         Agent      * Online = Yes; Ignore download priority = No

    2016-02-22          04:42:58:572       1408       b8c         Agent      * Criteria = "IsInstalled=0 and DeploymentAction='Installation' or IsPresent=1 and DeploymentAction='Uninstallation' or IsInstalled=1 and DeploymentAction='Installation' and RebootRequired=1 or IsInstalled=0 and DeploymentAction='Uninstallation' and RebootRequired=1"

    2016-02-22          04:42:58:572       1408       b8c         Agent      * ServiceID = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7} Managed

    2016-02-22          04:42:58:572       1408       b8c         Agent      * Search Scope = {Machine}

    2016-02-22          04:42:58:588       1408       b8c         Setup    Checking for agent SelfUpdate

    Just a bit later…

    2016-02-22          04:43:01:708       1408       b8c         PT             Server URL = http://My-WSUS-server/SimpleAuthWebService/SimpleAuth.asmx

    2016-02-22          04:43:26:340       1408       b8c         PT           +++++++++++  PT: Synchronizing extended update info  +++++++++++

    2016-02-22          04:43:26:340       1408       b8c         PT             + ServiceId = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}, Server URL = http://My-WSUS-Server/ClientWebService/client.asmx

    2016-02-22          04:43:27:884       1408       b8c         Agent      * Added update {15DF6C3C-C3BE-4572-BCD7-24634AEF06D7}.201 to search result

    2016-02-22          04:43:27:884       1408       b8c         Agent      * Added update {F2B8A6BE-DA59-470A-9741-82252603C7B8}.201 to search result

    2016-02-22          04:43:27:884       1408       b8c         Agent      * Added update {CACA8841-D649-458F-8CDC-2A4D871DE668}.205 to search result

    2016-02-22          04:43:27:884       1408       b8c         Agent      * Added update {9C4B0219-7EAB-41EE-AE6F-5BE2A8D0AAD3}.201 to search result

    2016-02-22          04:43:27:884       1408       b8c         Agent      * Added update {31804649-4B9B-4C5C-AD08-16F6017DAC19}.201 to search result

    2016-02-22          04:43:27:884       1408       b8c         Agent      * Added update {BFADF5FC-3C0A-4899-8C4C-15B7E8523735}.200 to search result

    2016-02-22          04:43:27:884       1408       b8c         Agent      * Added update {6D171224-2B85-4407-A73C-267B8F1DB0B4}.202 to search result

    2016-02-22          04:43:27:884       1408       b8c         Agent      * Added update {A3CB12FB-BCB0-44D9-9DAF-55E7F1D08FAA}.202 to search result

    2016-02-22          04:43:27:884       1408       b8c         Agent      * Added update {BA332C1D-8E4B-41D4-BCDA-24E08F8A71C1}.201 to search result

    2016-02-22          04:43:27:884       1408       b8c         Agent      * Added update {E19110E8-6986-4D5D-849C-108E1410930C}.201 to search result

    2016-02-22          04:43:27:884       1408       b8c         Agent      * Added update {558526FC-8245-4D2E-9B98-73E6B7D81362}.201 to search result

    2016-02-22          04:43:27:884       1408       b8c         Agent      * Added update {A2B88E9C-3220-4D05-BCD2-B2A6B457B65E}.200 to search result

    2016-02-22          04:43:27:884       1408       b8c         Agent      * Added update {2094C66D-57ED-44F1-9590-6CF141D2B20D}.200 to search result

    2016-02-22          04:43:27:884       1408       b8c         Agent      * Found 13 updates and 76 categories in search; evaluated appl. rules of 788 out of 1780 deployed entities

    Then shortly later there are a bunch of these....

    2016-02-22          08:01:08:583       1408       26c         AU          WARNING: AU found no suitable session to launch client in

    2016-02-22          08:01:43:596       1408       26c         AU          WARNING: AU found no suitable session to launch client in

    2016-02-22          08:04:48:601       1408       26c         AU          Windows Update is disabled by policy for user

    2016-02-22          08:04:48:601       1408       26c         AU          WARNING: AU found no suitable session to launch client in

    2016-02-22          08:07:19:617       1408       26c         AU          Windows Update is disabled by policy for user

    2016-02-22          08:07:19:617       1408       26c         AU          WARNING: AU found no suitable session to launch client in

    2016-02-22          08:09:15:467       1408       26c         AU          Windows Update is disabled by policy for user

    2016-02-22          08:09:15:467       1408       26c         AU          WARNING: AU found no suitable session to launch client in

    2016-02-22          08:12:55:990       1408       26c         AU          Windows Update is disabled by policy for user

    2016-02-22          08:12:55:990       1408       26c         AU          WARNING: AU found no suitable session to launch client in

    2016-02-22          08:14:09:145       1408       26c         AU          Windows Update is disabled by policy for user

    2016-02-22          08:14:09:145       1408       26c         AU          Windows Update is disabled by policy for user

    2016-02-22          08:14:09:145       1408       26c         AU          WARNING: AU found no suitable session to launch client in

    2016-02-22          08:16:45:332       1408       26c         AU          Windows Update is disabled by policy for user

    2016-02-22          08:16:45:332       1408       26c         AU          Windows Update is disabled by policy for user

    2016-02-22          08:16:45:332       1408       26c         AU          WARNING: AU found no suitable session to launch client in

    Some time later.....

    2016-02-22          09:08:53:285       1408       26c         AU          Launched new AU client for directive 'Install Approval', session id = 0x20

    2016-02-22          09:08:53:316       25144    623c       Misc       ===========  Logging initialized (build: 7.6.7601.19077, tz: -0500)  ===========

    2016-02-22          09:08:53:316       25144    623c       Misc         = Process: C:\Windows\system32\wuauclt.exe

    2016-02-22          09:08:53:316       25144    623c       AUClnt  Launched Client UI process

    2016-02-22          09:08:53:425       25144    623c       Misc       ===========  Logging initialized (build: 7.6.7601.19077, tz: -0500)  ===========

    2016-02-22          09:08:53:425       25144    623c       Misc         = Process: C:\Windows\system32\wuauclt.exe

    2016-02-22          09:08:53:425       25144    623c       Misc         = Module: C:\Windows\system32\wucltux.dll

    2016-02-22          09:08:53:425       25144    623c       CltUI      AU client got new directive = 'Install Approval', serviceId = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}, return = 0

    2016-02-22          09:19:59:819       1408       de8        AU          Getting featured update notifications.  fIncludeDismissed = true

    2016-02-22          09:19:59:819       1408       de8        AU          AU featured software notification sequence number is 3429, Generation Time:2016-02-22 14:19:59


    I think it says here who approved it below where I'd bolded the text

    2016-02-22          09:20:01:878       1408       60e0      AU          All updates already downloaded, setting percent complete to 100

    2016-02-22          09:20:01:878       1408       60e0      AU          BeginInteractiveInstall invoked for Install with sessionId 32

    2016-02-22          09:20:01:878       1408       60e0      AU          Auto-approving update for install, updateId = {9C4B0219-7EAB-41EE-AE6F-5BE2A8D0AAD3}.201, ForUx=1, IsOwnerUx=1, HasDeadline=0, IsMinor=0, IsOSUpgrade=0

    2016-02-22          09:20:01:878       1408       60e0      AU          Auto-approving update for install, updateId = {BA332C1D-8E4B-41D4-BCDA-24E08F8A71C1}.201, ForUx=1, IsOwnerUx=1, HasDeadline=0, IsMinor=0, IsOSUpgrade=0

    2016-02-22          09:20:01:878       1408       60e0      AU          Auto-approving update for install, updateId = {6D171224-2B85-4407-A73C-267B8F1DB0B4}.202, ForUx=1, IsOwnerUx=1, HasDeadline=0, IsMinor=0, IsOSUpgrade=0

    2016-02-22          09:20:01:878       1408       60e0      AU          Auto-approving update for install, updateId = {15DF6C3C-C3BE-4572-BCD7-24634AEF06D7}.201, ForUx=1, IsOwnerUx=1, HasDeadline=0, IsMinor=0, IsOSUpgrade=0

    2016-02-22          09:20:01:878       1408       60e0      AU          Auto-approving update for install, updateId = {CACA8841-D649-458F-8CDC-2A4D871DE668}.205, ForUx=1, IsOwnerUx=1, HasDeadline=0, IsMinor=0, IsOSUpgrade=0

    2016-02-22          09:20:01:878       1408       60e0      AU          Auto-approving update for install, updateId = {31804649-4B9B-4C5C-AD08-16F6017DAC19}.201, ForUx=1, IsOwnerUx=1, HasDeadline=0, IsMinor=0, IsOSUpgrade=0

    2016-02-22          09:20:01:878       1408       60e0      AU          Auto-approving update for install, updateId = {2094C66D-57ED-44F1-9590-6CF141D2B20D}.200, ForUx=1, IsOwnerUx=1, HasDeadline=0, IsMinor=0, IsOSUpgrade=0

    2016-02-22          09:20:01:878       1408       60e0      AU          Auto-approving update for install, updateId = {A2B88E9C-3220-4D05-BCD2-B2A6B457B65E}.200, ForUx=1, IsOwnerUx=1, HasDeadline=0, IsMinor=0, IsOSUpgrade=0

    2016-02-22          09:20:01:878       1408       60e0      AU          Auto-approving update for install, updateId = {F2B8A6BE-DA59-470A-9741-82252603C7B8}.201, ForUx=1, IsOwnerUx=1, HasDeadline=0, IsMinor=0, IsOSUpgrade=0

    2016-02-22          09:20:01:878       1408       60e0      AU          Auto-approving update for install, updateId = {E19110E8-6986-4D5D-849C-108E1410930C}.201, ForUx=1, IsOwnerUx=1, HasDeadline=0, IsMinor=0, IsOSUpgrade=0

    2016-02-22          09:20:01:878       1408       60e0      AU          Auto-approving update for install, updateId = {A3CB12FB-BCB0-44D9-9DAF-55E7F1D08FAA}.202, ForUx=1, IsOwnerUx=1, HasDeadline=0, IsMinor=0, IsOSUpgrade=0

    2016-02-22          09:20:01:878       1408       60e0      AU          Auto-approving update for install, updateId = {558526FC-8245-4D2E-9B98-73E6B7D81362}.201, ForUx=1, IsOwnerUx=1, HasDeadline=0, IsMinor=0, IsOSUpgrade=0

    2016-02-22          09:20:01:878       1408       60e0      AU          Auto-approving update for install, updateId = {BFADF5FC-3C0A-4899-8C4C-15B7E8523735}.200, ForUx=1, IsOwnerUx=1, HasDeadline=0, IsMinor=0, IsOSUpgrade=0

    2016-02-22          09:20:01:878       1408       60e0      AU          Auto-approved 13 update(s) for install (for Ux), installType=1

    2016-02-22          09:20:01:878       1408       60e0      AU          #############

    2016-02-22          09:20:01:878       1408       60e0      AU          ## START ##  AU: Install updates

    2016-02-22          09:20:01:878       1408       60e0      AU          #########

    2016-02-22          09:20:01:878       1408       60e0      AU            # Initiating manual install

    2016-02-22          09:20:01:878       1408       60e0      AU            # Approved updates = 13

    2016-02-22          09:20:01:909       1408       60e0      AU          <<## SUBMITTED ## AU: Install updates / installing updates [CallId = {154D8A9D-8182-4DDA-A9A3-EA8015EDC60F}]

    Tuesday, February 23, 2016 1:36 PM
  • So it looks like @ 08:16, it wanted to notify someone that it has updataing to do, but there were no suitable logon sessions to perform notification.

    And, @ 09:08, it found somebody logged on and notified them. At this point, the person may not have seen the notification wasn't looking, went for a coffee, whatever. But the agent either got an interactive "proceed", or, a timer expired and so it starting updating.

    once updating starts, the reboot *may* automatically follow, or *may* be able to be deferred, or *may* countdown via timer if no interactive deferral occurs.

    I'd be asking Mr. logged-on-@09:08, a couple of questions...


    Don [doesn't work for MSFT, and they're probably glad about that ;]

    Tuesday, February 23, 2016 8:20 PM
  • Don,

    Thanks for checking into this.  I'll look and see who I can find that was logged in around that time and make a determination from there.

    Cheers

    Wednesday, February 24, 2016 1:56 PM