locked
Servers ignored WSUS group Policy and defaulted back to standard updates RRS feed

  • Question

  • Hello all

    I had a major issue last night after 9 of my 12 mailbox servers all restarted themselves after doing updates.

    the puzzling thing is the GPO for WSUS on exchange servers that has been applied for years is to check but not download or update unless user interaction is provided.

    checking this morning all the servers had defaulted back to the windows default of install all system and application updates at 3am on a Tuesday from the internet. this took down the majority of my environment for about an hour. After checking everything and running a GPupdate it reset everything correctly. As we run everything N+1 we recently did the exchange 2010 update roll-up 19 these run on 2008R2 Enterprise. due to the critical nature of Exchange we do these updates sparingly on a 6 month schedule. i've checked other servers with the same policy and they are fine.

    I know Microsoft has been applying a aggressive approach to patching recently with patches to turn automatic updates on for the desktop OS's but  I have never seen/heard of it happening to the server OS's

    has anyone seen or heard of this?

    I don't want to have to disable windows updates on all my critical servers to prevent this but may have to.

    Wednesday, March 21, 2018 1:47 PM

Answers

  • Hello,

    It is strange, sounds like that the group policy went wrong, and after a force update, the policy get applied again. 

    I suggest you check anyone changed the group policy or create another policy which conflict with the old one. 

    I have to say that I haven't seen this kind of issue before. In my point of view, without any change of the group policy settings, it should stay as it was before. 

    Regards,

    Yan 


    Please remember to mark the replies as answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by Groombro Monday, March 26, 2018 9:45 AM
    Thursday, March 22, 2018 5:01 AM
  • So no changes were made to the policy but it turns out the policy was applying to some desktops as well as all servers in the investigation my colleague typed run the detect now against this policy and it was failing replication. as best we can tell this caused AD to rebuild the Policy but in the interim the servers that checked in for GPO dropped the policy and defaulted back to the windows default settings.

    by the time we were investigating the policy had replicated again and had reapplied to all the servers.

    we replaced the policy with a new one and have unlinked and disabled the old. any everything seems ok but we have disabled the critical systems automatic updates as it seems the only 100% fool proof method of doing this.

      
    • Marked as answer by Groombro Monday, March 26, 2018 9:45 AM
    • Edited by Groombro Monday, March 26, 2018 9:46 AM grammar
    Friday, March 23, 2018 3:56 PM

All replies

  • Hello,

    Check WSUS policy settings of your Exchange server whether update source is WSUS server or not...

    Anyway best thing is to install Windows Update on Exchange manually through the Internet after reading update relevant document(impact)...

    Another best thing is to disable update service on critical servers.

    Check your Active directory for your Exchange server OU. Check Whether the WSUS policy is applied or not to that.

    You can keep critical servers in separate OU and disable update service in servers...

    Thursday, March 22, 2018 4:50 AM
  • Hello,

    It is strange, sounds like that the group policy went wrong, and after a force update, the policy get applied again. 

    I suggest you check anyone changed the group policy or create another policy which conflict with the old one. 

    I have to say that I haven't seen this kind of issue before. In my point of view, without any change of the group policy settings, it should stay as it was before. 

    Regards,

    Yan 


    Please remember to mark the replies as answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by Groombro Monday, March 26, 2018 9:45 AM
    Thursday, March 22, 2018 5:01 AM
  • So no changes were made to the policy but it turns out the policy was applying to some desktops as well as all servers in the investigation my colleague typed run the detect now against this policy and it was failing replication. as best we can tell this caused AD to rebuild the Policy but in the interim the servers that checked in for GPO dropped the policy and defaulted back to the windows default settings.

    by the time we were investigating the policy had replicated again and had reapplied to all the servers.

    we replaced the policy with a new one and have unlinked and disabled the old. any everything seems ok but we have disabled the critical systems automatic updates as it seems the only 100% fool proof method of doing this.

      
    • Marked as answer by Groombro Monday, March 26, 2018 9:45 AM
    • Edited by Groombro Monday, March 26, 2018 9:46 AM grammar
    Friday, March 23, 2018 3:56 PM