Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Server 2008 R2 WSUS updating Server without approval

Posted on 2013-05-28
6
Medium Priority
?
474 Views
Last Modified: 2013-06-10
Hello,

We currently setup a WSUS server and for some reason without us allowing it in the group policy the WSUS started installing update on our server and rebooting it without approval.

Is there a setting in the WSUS that perhaps supersedes the GPO?

I can see the Automatic approval rule in the WSUS is set to default.

I also see under "Options" "Computers" it says "User Group Policy or the computer registry"

But then when I go to the left pane and click on "Computers" under "unassigned Computers" I see all my computers and even my server.

Today all servers were updating and rebooting without our consent.

So again can the WSUS force the updates and reboot without GPO consent?
0
Comment
Question by:Spirit_US
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 12

Expert Comment

by:Chris
ID: 39201782
WSUS is only a source for updates. No policies are applied to computers from the WSUS console. You will need to check over your group policy settings and probably enforce settings to prevent automatic installation and reboot.
0
 
LVL 10

Accepted Solution

by:
akhalighi earned 1336 total points
ID: 39201785
when you deploy WSUS ; your GPO will point your domain computers to WSUS ; rules in WSUS are not GPO related . if you have a "let go" rule ; then it deploys !

This is a very common issue and many admins ran into it . make sure you will disable rules OR WSUS automatic synchronizations ; because every time it synchronizes , your machines receive updates.
0
 
LVL 10

Assisted Solution

by:akhalighi
akhalighi earned 1336 total points
ID: 39201796
reboot option can also be controlled within GPO . It's better to exclude servers from auto reboot .( bu putting them on a different OU )
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 12

Assisted Solution

by:Chris
Chris earned 664 total points
ID: 39201809
Look under:

Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> Windows Update

The settings which will possibly need changing are:

Allow Automatic Updates Immediate Installation
Configure Automatic Updates
No Auto-restart with logged on users for scheduled automatic updates.

I would advise that you turn off automatic installation for servers and run the updates during maintenance windows.
0
 
LVL 4

Expert Comment

by:Tushar_Darwatkar
ID: 39203687
Hello,

Check the below link which help you to configure the Automatic Updates with GPO.

http://technet.microsoft.com/en-us/library/cc720539%28v=ws.10%29.aspx
0
 

Author Comment

by:Spirit_US
ID: 39209661
I've attached what I currently have going on in my GPO... I see "Configure Automatic Update" is enabled but "Allow Automatic Updates immediate installation" is set to Not Configured.

Does this mean that it was the WSUS pushed the installation?

Also should I set set all of these options to a "Not Configured" state and create 1 Policy linked to a OU for servers where it does not update the server so I can do that manually and create another Policy for Computers and linked that one to a Computers OU?

I'm assuming that by changing the State to "Not Configured" in the "Default Domain Policy" will not interfere with the 2 new policy that I would create to link to Servers OU and Computers OU.

Please advise guys. Thanks!
gpo-settings.jpg
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this blog we highlight approaches to managed security as a service.  We also look into ConnectWise’s value in aiding MSPs’ security management and indicate why critical alerting is a necessary integration.
Will you be ready when the clock on GDPR compliance runs out? Is GDPR even something you need to worry about? Find out more about the upcoming regulation changes and download our comprehensive GDPR checklist today !
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question