locked
WSUS Automatic approval of superseeding updates that are not approved - bug or feature ? RRS feed

  • Question

  • Good evening,

    On December 8thm 2015 Microsoft issued SP3 for SQL Server 2012. I did not approve the update and in the history it still shows as Revision 200 - Not Approved

    On January 25th 2015 Microsoft released revision 201. That revision as it supersedes another, was automatically approved (first WTF here). As the initial revision was not approved, this one should not have been either. It got approved and got pushed to the production sql servers...

    As the update does not require a reboot (although it does say restart pending in the windows update history on the server), it got installed.... in the middle of a production day, yeah...... 30 minutes of down + havoc on restart of the server.

    I have now deactivated all auto approvals and deactivated the auto approval of superseding updates.

    So between this bug and the one that screws with the respect of the policy set via GPO, it is becoming dangerous to trust anything in relation to updates.

    Has anybody else encountered this feature ?

    Thanks

    Wednesday, January 27, 2016 2:40 AM

All replies

  • Hi,

    First, please check the detailed information of the Change.log. The default location is "C:\Program Files\Update Services\LogFiles".

    If the update is approved by automatic approve rule, the log will show as follows:

    Successfully deployed deployment(Install) of Update for Windows Server 2012 R2 (KB2883200) by WUS Server UpdateID:3C26F30C-FB0A-46F6-AD43-DD20BB48CF96 Revision Number:206 TargetGroup:All Computers

    If the update is approved by admins, the log will show as follows:

    Successfully deployed deployment(Install) of Update for Windows Server 2012 R2 (KB3004908) by CATEST\vm3admin UpdateID:EEE0749E-5D8A-4A0C-A44A-96AE5C805385 Revision Number:200 TargetGroup:All Computers

    Best Regards.


    Steven Lee Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Wednesday, January 27, 2016 2:43 PM
  • Hi,

    So, in the change.log, non of the updates have been approved automatically which is weird and means that there is a bigger problem somewhere, because either the default rules is not working or the change.log is incorrect.

    Second, I can guarantee that on Jan 26th at 2 am EST I did not approve the update even though the logs shows that I did. I was sound asleep at that time.

    Best regards,

    Thursday, January 28, 2016 12:50 PM