?
Solved

Server 2008 R2 WSUS updating Server without approval

Posted on 2013-05-28
6
Medium Priority
?
465 Views
Last Modified: 2013-06-10
Hello,

We currently setup a WSUS server and for some reason without us allowing it in the group policy the WSUS started installing update on our server and rebooting it without approval.

Is there a setting in the WSUS that perhaps supersedes the GPO?

I can see the Automatic approval rule in the WSUS is set to default.

I also see under "Options" "Computers" it says "User Group Policy or the computer registry"

But then when I go to the left pane and click on "Computers" under "unassigned Computers" I see all my computers and even my server.

Today all servers were updating and rebooting without our consent.

So again can the WSUS force the updates and reboot without GPO consent?
0
Comment
Question by:Spirit_US
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 12

Expert Comment

by:Chris
ID: 39201782
WSUS is only a source for updates. No policies are applied to computers from the WSUS console. You will need to check over your group policy settings and probably enforce settings to prevent automatic installation and reboot.
0
 
LVL 10

Accepted Solution

by:
akhalighi earned 1336 total points
ID: 39201785
when you deploy WSUS ; your GPO will point your domain computers to WSUS ; rules in WSUS are not GPO related . if you have a "let go" rule ; then it deploys !

This is a very common issue and many admins ran into it . make sure you will disable rules OR WSUS automatic synchronizations ; because every time it synchronizes , your machines receive updates.
0
 
LVL 10

Assisted Solution

by:akhalighi
akhalighi earned 1336 total points
ID: 39201796
reboot option can also be controlled within GPO . It's better to exclude servers from auto reboot .( bu putting them on a different OU )
0
Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

 
LVL 12

Assisted Solution

by:Chris
Chris earned 664 total points
ID: 39201809
Look under:

Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> Windows Update

The settings which will possibly need changing are:

Allow Automatic Updates Immediate Installation
Configure Automatic Updates
No Auto-restart with logged on users for scheduled automatic updates.

I would advise that you turn off automatic installation for servers and run the updates during maintenance windows.
0
 
LVL 4

Expert Comment

by:Tushar_Darwatkar
ID: 39203687
Hello,

Check the below link which help you to configure the Automatic Updates with GPO.

http://technet.microsoft.com/en-us/library/cc720539%28v=ws.10%29.aspx
0
 

Author Comment

by:Spirit_US
ID: 39209661
I've attached what I currently have going on in my GPO... I see "Configure Automatic Update" is enabled but "Allow Automatic Updates immediate installation" is set to Not Configured.

Does this mean that it was the WSUS pushed the installation?

Also should I set set all of these options to a "Not Configured" state and create 1 Policy linked to a OU for servers where it does not update the server so I can do that manually and create another Policy for Computers and linked that one to a Computers OU?

I'm assuming that by changing the State to "Not Configured" in the "Default Domain Policy" will not interfere with the 2 new policy that I would create to link to Servers OU and Computers OU.

Please advise guys. Thanks!
gpo-settings.jpg
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Keystroke loggers have been around for a very long time. While the threat is old, some of the remedies are new!
After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question