Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 710
  • Last Modified:

WSUS updates Install

in the GPO for WSUS, I configured it to:
option 4 "Auto Downlaod and Schedule the Install"
Schedule Install Day: 0- Every day
Schedule Install Time: 03:00

When I checked the event log for a computer that has the policy applied to it, I found the event ID 17, Source: Windows Update Agent, Category:Installation.

the log says:

 Installation Ready: The following updates are downloaded and ready for installation. To install the updates, an administrator should log on to this computer and Windows will prompt with further instructions:
- Security Update for Windows Server 2003 (KB958687)
- Security Update for Windows Server 2003 (KB952954)
- Cumulative Security Update for ActiveX Killbits for Windows Server 2003 (KB950760)
- Security Update for Windows Server 2003 (KB954600)
- Security Update for Windows Server 2003 (KB955069)
- Security Update for Microsoft XML Core Services 4.0 Service Pack 2 (KB954430)
- Security Update for Windows Server 2003 (KB923561)
- Update for Windows Server 2003 (KB967715)
- Security Update for Windows Server 2003 (KB956802)
- Windows Malicious Software Removal Tool - May 2009 (KB890830)
- Security Update for Windows Server 2003 (KB956572)
- Security Update for Windows Server 2003 (KB960225)
- Update for Windows Server 2003 (KB955839)
- Update Rollup for ActiveX Killbits for Windows Server 2003 (KB960715)
- Security Update for Windows Server 2003 (KB961373)
- Security Update for Windows Server 2003 (KB951748)
- Security Update for Windows Server 2003 (KB950762)
- Security Update for Wind


0
jskfan
Asked:
jskfan
3 Solutions
 
PeteJThomasCommented:
What are you trying to achieve? Do you want the updates to install automatically?

There are some settings you need to look at:

Comp Config > Admin Templates > Windows Components > Windows Update >

"Allow non-administrators to receive update notifications"
"Allow Automatic Updates Immediate Installation".

But some more information on what you actually want to achieve would be helpful... :)

Pete
0
 
jskfanAuthor Commented:
this policy is applied for computers that can receive the updates, install them ,and reboot if required at the time specified in the policy.
0
 
Baddevildog82Commented:
Did there use to be a different configuration for WSUS on this domain?  It sounds like that workstation has the "Auto Download and Notify for Install" set.  You may need to go to that machine and run gpupdate /force.

If that doesn't work, try running each of these lines:
net stop wuauserv
Del C:\windows\windowsupdate.log
net start wuauserv
wuauclt.exe /resetauthorization /detectnow
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
sfarazmandCommented:
PeteJThomas is correct, you need to set those settings in order for non-admins (users) to be able to install.

If average joe is logged in he does not have proveledges to alter the system. Admins do. Those settings allow the updates to be installed  when avg joe is logged in.
0
 
jskfanAuthor Commented:
Did there use to be a different configuration for WSUS on this domain?  It sounds like that workstation has the "Auto Download and Notify for Install" set.

YES
0
 
jskfanAuthor Commented:
but changed yesterday and the log has the date and time of this morning
0
 
PeteJThomasCommented:
Well, it's fair to say that the policy changes SHOULD have taken affect within that time scale, however that is still assumption at this point...

The easiest way to ensure is just to run the gpupdate /force, and if needs be you can check with gpresult /Z to ensure the individual settings within the policy have been changed...

However as we've stated above, IF the PC is logged on with a user account at the time of the update, you should look at the setting "allow non-administrators..." I mentioned earlier.

And if you don't want any delay after the download of the updates (believe the default is 5mins delay)
0
 
PeteJThomasCommented:
Ooops, submitted by accident... To finish:

And if you don't want any delay after the download of the updates (believe the default is 5mins delay) then you can look at the other setting I suggested... "Allow Auto Updates Immediate...".

Just ensure the policy is forced through, then leave it another night or something, and see what happens.

Ideally you should create a test policy for this, then use a test comp object in a test OU. That way you can play about with the settings and change the install times etc to just that one machine until you get it working, then just replicate the settings in the 'live' policy... :)

Pete
0
 
jskfanAuthor Commented:
I believe the option 4 will be enough for the update to get installed and probably reboot the computer if needed. Here Micrsosoft explanation of option 4:

4 = Automatically download updates and install them on the schedule specified below

Specify the schedule using the options in the Group Policy Setting. If no schedule is specified, the default schedule for all installations will be everyday at 3:00 AM. If any of the updates require a restart to complete the installation, Windows will restart the computer automatically. (If a user is logged on to the computer when Windows is ready to restart, the user will be notified and given the option to delay the restart.)
0
 
PeteJThomasCommented:
I'm purely working off the error message given, which implies that the currently logged on user does not have permissions to view the notifications AU is trying to display, hence why it's requesting that an administrator logs on.

If there was a user logged on, and the updates wanted to display a message (such as 'Restart now?' or whatever) the notification would NOT appear as the user does not have administrative privildges... At least that's my understanding of what's happen in your case.

But whichever, if you don't want to try the suggestions I can't force you... :)

Pete
0
 
PeteJThomasCommented:
Oh and 1 last question - Have you already configured the "No auto-restart with logged on users for scheduled automatic update installations"?

As if so, this would stop the completion of the update process (the reboot stage) and request that the user restart manually (a notification), and that is the case, and you don't have the "Allow non-administrator..." configured, the notification would not appear and that's the end of that...

All assuming a standard user account was left logged on to this machine overnight. Just food for thought on the logic of these settings... :)

Pete
0
 
jskfanAuthor Commented:
it just doesn't rhyme with the option 4.
option 4 says schedule the install at certain time and the one you proposed says install immediately.
microsoft should disable one of them automatically when the other is enabled, because they are contradictory to my understanding

and I am logged on as an administrator
0
 
PeteJThomasCommented:
The 'immediate install' option only applies to updates that don't affect the system directly or require a restart - So sort of invisible updates (to the user at least), so technically it won't matter whether you have a scheduled option or not - We have both enabled (option 4 and immediate install) and all works fine...

Then those updates that require intervention/restarting will be installed separately at the scheduled time. Try leaving the machine logged off instead, see what happens then... It should just go through fine!

But I'd still say enable the notifications for non-administrators and see if your problem goes away. If so, the au is thinking that you're not logged on as an administrator... :)

Pete
0
 
PeteJThomasCommented:
Here is our policy - this works perfectly and the updates are installed within 2 days of being approved every time by all active clients, and IF a restart is required, the users receive notification asking them to restart.

If they say 'No' they are prompted again every 30mins.

Just so you can see someone elses config...
AUPolicy.JPG
0
 
PeteJThomasCommented:
AND (finally), this is again assuming that the policy changes had actually taken affect in the first place... :)

You may find that simply running a gpupdate /force or restarting the box now and waiting overnight will sort it all out with no need for any config changes... :)

Pete
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now