locked
conflicting approvals RRS feed

  • Question

  • computer A is in WSUS group B and WSUS Group C.

    update D is approved for install on WSUS Group B, and Not Approved for Group C.

    is computer A going to detect/install update D?

    Monday, April 1, 2019 7:01 PM

Answers

  • that is the opposite of what I saw. you're certain windows2019 is in the chineses group? I tested multiple times:

    run a detection on the client

    take a screenshot of what's detected

    pick one update and set it to "not approved" for only one of the client's groups

    stop the windows update service on the client

    delete everything in the softwaredistribution folder on the client

    start the windows update service on the client

    run a detection on the client

    compare the current list of detected updates against the screenshot I took before, to verify the "not approved" one is missing

    rinse

    repeat

    • Marked as answer by John_Curtiss Sunday, April 21, 2019 2:30 PM
    Wednesday, April 3, 2019 5:32 PM

All replies

  • Hi John,
      

    Thank you for posting here.
    It seems that everything is ok. If Update D is approved for WSUS Group B, then members of Group B will detect and check if installation is required, which of course includes Computer A.
      

    Is it a problem encountered in the actual operation? Reply back with the problem would be happy to help.
      

    Regards,
    Yic

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, April 2, 2019 1:55 AM
  • I did some testing, and your reply is this is not the behavior i'm seeing. which is fine, because it's not the behavior I want.

    I have a computer who is a member of the "no .net updates" group and the "servers - qa" group in the approval screenshot below.

    obviously I have an update set to "not approved" on the "no .net updates" group, but set to "approved" on the "servers - qa" group and every other group in my environment.

    the computer is not detecting that update, even though it is a member of "servers - qa".  

    Tuesday, April 2, 2019 5:24 PM
  • Hi John,
      

    I tested what you mentioned and verified your point of view:
      

    1. In the test environment:
      -  The group 'Chineses' includes the client 'Windows2019'
      -  The group 'Win2019' includes the client 'Windows2019'.
      The order of the groups is also similar to the screenshots you provide.
       
    2. I approved an update(KB4493510), approved installation to the 'All Computers' group, and set not approved to the 'Chineses' group.

        
    3. Check the updated report, the client in the 'Chineses' group has not been approved for installation.


       
    4. The client 'Windows2019' detected the approved update and completed the installation.

      And the client part of the WSUS report has also changed.
          

    From the test results, when a single client is added to multiple groups, if one of the related groups is not approved, this will not prevent the client from installing the update.
     

    Hope the above can help you.
     

    Regards,
    Yic

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, April 3, 2019 5:33 AM
  • that is the opposite of what I saw. you're certain windows2019 is in the chineses group? I tested multiple times:

    run a detection on the client

    take a screenshot of what's detected

    pick one update and set it to "not approved" for only one of the client's groups

    stop the windows update service on the client

    delete everything in the softwaredistribution folder on the client

    start the windows update service on the client

    run a detection on the client

    compare the current list of detected updates against the screenshot I took before, to verify the "not approved" one is missing

    rinse

    repeat

    • Marked as answer by John_Curtiss Sunday, April 21, 2019 2:30 PM
    Wednesday, April 3, 2019 5:32 PM
  • Hi John,
      

    I tested it again and it seems to verify your statement.
    By observing the change.log, when the approval is updated to the 'All Computers' target group and the target subgroup containing the test client is set to 'Not approval', the log includes the contents of the Block:

    2019-04-04 01:53:48.821 UTC	Successfully deployed deployment(Install) of *(KB4490481) by Domain\admin UpdateID:3E454E3F-A396-48BD-9440-2DCD340B273A Revision Number:200 TargetGroup:All Computers
    2019-04-04 01:53:49.056 UTC	Successfully deployed deployment(Block) of *(KB4490481) by Domain\admin UpdateID:3E454E3F-A396-48BD-9440-2DCD340B273A Revision Number:200 TargetGroup:Chineses

      

    At this time, the update cannot be detected on the client.
    When I adjust the approval of this target subgroup to the same parent group, the log appears as follows:

    2019-04-04 02:05:55.529 UTC	Deleted deployment(Block) of *(KB4490481) by Domain\admin UpdateID:3E454E3F-A396-48BD-9440-2DCD340B273A Revision Number:200 TargetGroup:Chineses

      

    After a short wait, the client can detect this update.
    I repeated the test a few times and the results are as you said.
      

    I'm sorry that there may be a problem with the previous experiment, and I am also checking the logs.
      

    Regards,
    Yic

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, April 4, 2019 3:24 AM
  • Hi,
     

    Any update is welcome here.
    If the issue is resolved, share your solution or find the helpful response "Mark as Answer" to help other community members find the answer.
     

    Thank you for your cooperation, as always.
     

    Regards,
    Yic

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, April 19, 2019 6:15 AM