Solved

Server 2008 R2 WSUS updating Server without approval

Posted on 2013-05-28
6
463 Views
Last Modified: 2013-06-10
Hello,

We currently setup a WSUS server and for some reason without us allowing it in the group policy the WSUS started installing update on our server and rebooting it without approval.

Is there a setting in the WSUS that perhaps supersedes the GPO?

I can see the Automatic approval rule in the WSUS is set to default.

I also see under "Options" "Computers" it says "User Group Policy or the computer registry"

But then when I go to the left pane and click on "Computers" under "unassigned Computers" I see all my computers and even my server.

Today all servers were updating and rebooting without our consent.

So again can the WSUS force the updates and reboot without GPO consent?
0
Comment
Question by:Spirit_US
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 12

Expert Comment

by:Chris
ID: 39201782
WSUS is only a source for updates. No policies are applied to computers from the WSUS console. You will need to check over your group policy settings and probably enforce settings to prevent automatic installation and reboot.
0
 
LVL 10

Accepted Solution

by:
akhalighi earned 334 total points
ID: 39201785
when you deploy WSUS ; your GPO will point your domain computers to WSUS ; rules in WSUS are not GPO related . if you have a "let go" rule ; then it deploys !

This is a very common issue and many admins ran into it . make sure you will disable rules OR WSUS automatic synchronizations ; because every time it synchronizes , your machines receive updates.
0
 
LVL 10

Assisted Solution

by:akhalighi
akhalighi earned 334 total points
ID: 39201796
reboot option can also be controlled within GPO . It's better to exclude servers from auto reboot .( bu putting them on a different OU )
0
Free eBook: Backup on AWS

Everything you need to know about backup and disaster recovery with AWS, for FREE!

 
LVL 12

Assisted Solution

by:Chris
Chris earned 166 total points
ID: 39201809
Look under:

Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> Windows Update

The settings which will possibly need changing are:

Allow Automatic Updates Immediate Installation
Configure Automatic Updates
No Auto-restart with logged on users for scheduled automatic updates.

I would advise that you turn off automatic installation for servers and run the updates during maintenance windows.
0
 
LVL 4

Expert Comment

by:Tushar_Darwatkar
ID: 39203687
Hello,

Check the below link which help you to configure the Automatic Updates with GPO.

http://technet.microsoft.com/en-us/library/cc720539%28v=ws.10%29.aspx
0
 

Author Comment

by:Spirit_US
ID: 39209661
I've attached what I currently have going on in my GPO... I see "Configure Automatic Update" is enabled but "Allow Automatic Updates immediate installation" is set to Not Configured.

Does this mean that it was the WSUS pushed the installation?

Also should I set set all of these options to a "Not Configured" state and create 1 Policy linked to a OU for servers where it does not update the server so I can do that manually and create another Policy for Computers and linked that one to a Computers OU?

I'm assuming that by changing the State to "Not Configured" in the "Default Domain Policy" will not interfere with the 2 new policy that I would create to link to Servers OU and Computers OU.

Please advise guys. Thanks!
gpo-settings.jpg
0

Featured Post

Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

737 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question