Solved

WSUS updates Install

Posted on 2009-05-13
15
684 Views
Last Modified: 2012-05-07
in the GPO for WSUS, I configured it to:
option 4 "Auto Downlaod and Schedule the Install"
Schedule Install Day: 0- Every day
Schedule Install Time: 03:00

When I checked the event log for a computer that has the policy applied to it, I found the event ID 17, Source: Windows Update Agent, Category:Installation.

the log says:

 Installation Ready: The following updates are downloaded and ready for installation. To install the updates, an administrator should log on to this computer and Windows will prompt with further instructions:
- Security Update for Windows Server 2003 (KB958687)
- Security Update for Windows Server 2003 (KB952954)
- Cumulative Security Update for ActiveX Killbits for Windows Server 2003 (KB950760)
- Security Update for Windows Server 2003 (KB954600)
- Security Update for Windows Server 2003 (KB955069)
- Security Update for Microsoft XML Core Services 4.0 Service Pack 2 (KB954430)
- Security Update for Windows Server 2003 (KB923561)
- Update for Windows Server 2003 (KB967715)
- Security Update for Windows Server 2003 (KB956802)
- Windows Malicious Software Removal Tool - May 2009 (KB890830)
- Security Update for Windows Server 2003 (KB956572)
- Security Update for Windows Server 2003 (KB960225)
- Update for Windows Server 2003 (KB955839)
- Update Rollup for ActiveX Killbits for Windows Server 2003 (KB960715)
- Security Update for Windows Server 2003 (KB961373)
- Security Update for Windows Server 2003 (KB951748)
- Security Update for Windows Server 2003 (KB950762)
- Security Update for Wind


0
Comment
Question by:jskfan
15 Comments
 
LVL 19

Expert Comment

by:PeteJThomas
ID: 24374016
What are you trying to achieve? Do you want the updates to install automatically?

There are some settings you need to look at:

Comp Config > Admin Templates > Windows Components > Windows Update >

"Allow non-administrators to receive update notifications"
"Allow Automatic Updates Immediate Installation".

But some more information on what you actually want to achieve would be helpful... :)

Pete
0
 

Author Comment

by:jskfan
ID: 24374088
this policy is applied for computers that can receive the updates, install them ,and reboot if required at the time specified in the policy.
0
 
LVL 2

Assisted Solution

by:Baddevildog82
Baddevildog82 earned 75 total points
ID: 24374101
Did there use to be a different configuration for WSUS on this domain?  It sounds like that workstation has the "Auto Download and Notify for Install" set.  You may need to go to that machine and run gpupdate /force.

If that doesn't work, try running each of these lines:
net stop wuauserv
Del C:\windows\windowsupdate.log
net start wuauserv
wuauclt.exe /resetauthorization /detectnow
0
 
LVL 7

Assisted Solution

by:sfarazmand
sfarazmand earned 75 total points
ID: 24374170
PeteJThomas is correct, you need to set those settings in order for non-admins (users) to be able to install.

If average joe is logged in he does not have proveledges to alter the system. Admins do. Those settings allow the updates to be installed  when avg joe is logged in.
0
 

Author Comment

by:jskfan
ID: 24374412
Did there use to be a different configuration for WSUS on this domain?  It sounds like that workstation has the "Auto Download and Notify for Install" set.

YES
0
 

Author Comment

by:jskfan
ID: 24374421
but changed yesterday and the log has the date and time of this morning
0
 
LVL 19

Expert Comment

by:PeteJThomas
ID: 24374534
Well, it's fair to say that the policy changes SHOULD have taken affect within that time scale, however that is still assumption at this point...

The easiest way to ensure is just to run the gpupdate /force, and if needs be you can check with gpresult /Z to ensure the individual settings within the policy have been changed...

However as we've stated above, IF the PC is logged on with a user account at the time of the update, you should look at the setting "allow non-administrators..." I mentioned earlier.

And if you don't want any delay after the download of the updates (believe the default is 5mins delay)
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 19

Accepted Solution

by:
PeteJThomas earned 350 total points
ID: 24374567
Ooops, submitted by accident... To finish:

And if you don't want any delay after the download of the updates (believe the default is 5mins delay) then you can look at the other setting I suggested... "Allow Auto Updates Immediate...".

Just ensure the policy is forced through, then leave it another night or something, and see what happens.

Ideally you should create a test policy for this, then use a test comp object in a test OU. That way you can play about with the settings and change the install times etc to just that one machine until you get it working, then just replicate the settings in the 'live' policy... :)

Pete
0
 

Author Comment

by:jskfan
ID: 24375189
I believe the option 4 will be enough for the update to get installed and probably reboot the computer if needed. Here Micrsosoft explanation of option 4:

4 = Automatically download updates and install them on the schedule specified below

Specify the schedule using the options in the Group Policy Setting. If no schedule is specified, the default schedule for all installations will be everyday at 3:00 AM. If any of the updates require a restart to complete the installation, Windows will restart the computer automatically. (If a user is logged on to the computer when Windows is ready to restart, the user will be notified and given the option to delay the restart.)
0
 
LVL 19

Expert Comment

by:PeteJThomas
ID: 24375362
I'm purely working off the error message given, which implies that the currently logged on user does not have permissions to view the notifications AU is trying to display, hence why it's requesting that an administrator logs on.

If there was a user logged on, and the updates wanted to display a message (such as 'Restart now?' or whatever) the notification would NOT appear as the user does not have administrative privildges... At least that's my understanding of what's happen in your case.

But whichever, if you don't want to try the suggestions I can't force you... :)

Pete
0
 
LVL 19

Expert Comment

by:PeteJThomas
ID: 24375449
Oh and 1 last question - Have you already configured the "No auto-restart with logged on users for scheduled automatic update installations"?

As if so, this would stop the completion of the update process (the reboot stage) and request that the user restart manually (a notification), and that is the case, and you don't have the "Allow non-administrator..." configured, the notification would not appear and that's the end of that...

All assuming a standard user account was left logged on to this machine overnight. Just food for thought on the logic of these settings... :)

Pete
0
 

Author Comment

by:jskfan
ID: 24375505
it just doesn't rhyme with the option 4.
option 4 says schedule the install at certain time and the one you proposed says install immediately.
microsoft should disable one of them automatically when the other is enabled, because they are contradictory to my understanding

and I am logged on as an administrator
0
 
LVL 19

Expert Comment

by:PeteJThomas
ID: 24375623
The 'immediate install' option only applies to updates that don't affect the system directly or require a restart - So sort of invisible updates (to the user at least), so technically it won't matter whether you have a scheduled option or not - We have both enabled (option 4 and immediate install) and all works fine...

Then those updates that require intervention/restarting will be installed separately at the scheduled time. Try leaving the machine logged off instead, see what happens then... It should just go through fine!

But I'd still say enable the notifications for non-administrators and see if your problem goes away. If so, the au is thinking that you're not logged on as an administrator... :)

Pete
0
 
LVL 19

Expert Comment

by:PeteJThomas
ID: 24375706
Here is our policy - this works perfectly and the updates are installed within 2 days of being approved every time by all active clients, and IF a restart is required, the users receive notification asking them to restart.

If they say 'No' they are prompted again every 30mins.

Just so you can see someone elses config...
AUPolicy.JPG
0
 
LVL 19

Expert Comment

by:PeteJThomas
ID: 24375794
AND (finally), this is again assuming that the policy changes had actually taken affect in the first place... :)

You may find that simply running a gpupdate /force or restarting the box now and waiting overnight will sort it all out with no need for any config changes... :)

Pete
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Join & Write a Comment

Preface Having the need * to contact many different companies with different infrastructures * do remote maintenance in their network required us to implement a more flexible routing solution. As RAS, PPTP, L2TP and VPN Client connections are no…
Organizations create, modify, and maintain huge amounts of data to help their businesses earn money and generally function.  Typically every network user within an organization has a bit of disk space to store in process items and personal files.   …
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now