locked
Updates Install without user intervention RRS feed

  • Question

  • Hi All,

    I am currently using WSUS and GPO's to push updates to our Windows 2008 R2 Servers.  We just began doing this within the last couple of months and have created the GPO to "auto download updates and notify for install".  The only other relevant setting is "reschedule Automatic updates scheduled installations" is set to 15 minutes.  Based on our setting of "notify for install", I would not expect this setting to have any effect.

    Now twice in the last week, individual server administrators have been working on their servers, rebooted for whatever reason and then they report to me that Windows Updates are installing without their approval.  Anyone have any ideas how this could happen?

    Thanks

    Tuesday, July 1, 2014 3:22 PM

Answers

  • "I'm absolutely sure they didn't either. That's my exact point. The user does not "initiate" an installation of downloaded updates when the system is shutdown/restarted from the Start Menu -- it happens automatically since Windows 7 SP1."

    If this is the case it explains what's happening and I have to stop this.  What settings then can I use to install the approved updates only if the sys admin initiates it?

    There are two ways to approach this:

    • Configure the WUA to "Notify for Download" (AUOption='2'). As a result, the sysadmin will need to perform two tasks: [1] Download the updates (at which time the Install Updates and Shutdown consideration is in effect, and then [2] Install the updates when desired. This implies planning in advance to allow for the download time, and then planning for the installation event.
    • Use the Command Prompt to reboot the server: SHUTDOWN /R /T which will completely avoid the installation of any updates already downloaded.

    Personally I would offer this argument for consideration: Why is a sysadmin rebooting a server without consideration for the fact that updates might be pending installation? Most organizations I know only restart servers as a function of installing updates, usually during scheduled maintenance windows. Any other activities that require a system restart are deferred until that scheduled maintenance window.

    A corollary to this is also: Why is a sysadmin unfamiliar with patch state of the system they're responsible for?


    Lawrence Garvin, M.S., MCSA, MCITP:EA, MCDBA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2014)
    My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence%20R%20Garvin-32101
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    • Marked as answer by DonJuan1111 Tuesday, July 8, 2014 12:56 PM
    Tuesday, July 8, 2014 1:58 AM

All replies

  • Hi,

    Run gpresult or check registry key directly:

    HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU

    Make sure correct setting is applied to WSUS client.

    If settings are correct, please check windowsupdate.log and share with us.

    Hope this helps.

    Wednesday, July 2, 2014 9:01 AM
  • Now twice in the last week, individual server administrators have been working on their servers, rebooted for whatever reason and then they report to me that Windows Updates are installing without their approval.  Anyone have any ideas how this could happen?

    The logical conclusion here is that "Install Updates and Reboot" was invoked. Are your sysadmins aware of this functionality and its implications? This is an inherent risk with "Notify for Install" scenarios.

    Lawrence Garvin, M.S., MCSA, MCITP:EA, MCDBA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2014)
    My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence%20R%20Garvin-32101
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    Wednesday, July 2, 2014 1:24 PM
  • I've verified the GPO settings are correct and being properly applied based on the registry settings I reviewed. I tried and failed to upload the update log as to get all the significant entries far exceeded the max allowed character limit.

    I've reviewed the update procedure with the sys admins and they are adamant they did not initiate an install.  Looking at the logs I was able to determine that prior to this new GPO being implemented for this application in May, the server appeared to be set up to go directly to ms and get updates.  It looks like they were installing but thankfully not rebooting.  I believe a series of updates had already been installed and were just waiting for someone to come along and reboot the server, when this happened the sys admins saw the 2k8 installing updates screen during the shutdown.  This is the only explanation that makes any sense at this point.

    Thanks for the feedback.

    Wednesday, July 2, 2014 2:10 PM
  • I've verified the GPO settings are correct and being properly applied based on the registry settings I reviewed.

    GPO settings have very little to do with "Install Updates and Shutdown" functionality. There is an option to suppress the display (and control the default option presented), but that really only had relevance prior to Windows 7 Service Pack 1. Since that time, and on all newer operating systems, the shutdown option is automatically suppressed and automatically triggers "Install Updates and Shutdown", unless SHUTDOWN.EXE is invoked from the command line.
    I tried and failed to upload the update log as to get all the significant entries far exceeded the max allowed character limit.
    Yeah, like, we don't need all 2MB of the logfile, just the relevant few dozen lines at the time the system restarted.

    I've reviewed the update procedure with the sys admins and they are adamant they did not initiate an install.

    I'm absolutely sure they didn't either. That's my exact point. The user does not "initiate" an installation of downloaded updates when the system is shutdown/restarted from the Start Menu -- it happens automatically since Windows 7 SP1.

    Lawrence Garvin, M.S., MCSA, MCITP:EA, MCDBA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2014)
    My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence%20R%20Garvin-32101
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    Friday, July 4, 2014 3:29 PM
  • "I'm absolutely sure they didn't either. That's my exact point. The user does not "initiate" an installation of downloaded updates when the system is shutdown/restarted from the Start Menu -- it happens automatically since Windows 7 SP1."

    If this is the case it explains what's happening and I have to stop this.  What settings then can I use to install the approved updates only if the sys admin initiates it?  Not on it's own just because the system is rebooted.

    Thanks for your feedback, it's most appreciated.



    Monday, July 7, 2014 12:55 PM
  • "I'm absolutely sure they didn't either. That's my exact point. The user does not "initiate" an installation of downloaded updates when the system is shutdown/restarted from the Start Menu -- it happens automatically since Windows 7 SP1."

    If this is the case it explains what's happening and I have to stop this.  What settings then can I use to install the approved updates only if the sys admin initiates it?

    There are two ways to approach this:

    • Configure the WUA to "Notify for Download" (AUOption='2'). As a result, the sysadmin will need to perform two tasks: [1] Download the updates (at which time the Install Updates and Shutdown consideration is in effect, and then [2] Install the updates when desired. This implies planning in advance to allow for the download time, and then planning for the installation event.
    • Use the Command Prompt to reboot the server: SHUTDOWN /R /T which will completely avoid the installation of any updates already downloaded.

    Personally I would offer this argument for consideration: Why is a sysadmin rebooting a server without consideration for the fact that updates might be pending installation? Most organizations I know only restart servers as a function of installing updates, usually during scheduled maintenance windows. Any other activities that require a system restart are deferred until that scheduled maintenance window.

    A corollary to this is also: Why is a sysadmin unfamiliar with patch state of the system they're responsible for?


    Lawrence Garvin, M.S., MCSA, MCITP:EA, MCDBA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2014)
    My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence%20R%20Garvin-32101
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    • Marked as answer by DonJuan1111 Tuesday, July 8, 2014 12:56 PM
    Tuesday, July 8, 2014 1:58 AM
  • Thanks for all your feedback.  I will present both options and make the appropriate changes.  As for why they are rebooting outside of maintenance windows, that is a discussion for another day, but I can tell you from time to time the quickest possible reboots are required.

    Thanks again...

    Tuesday, July 8, 2014 12:55 PM