Cancel Pending Updates

An admin accidentaly removed the group policy for server upates from
the servers OU. The servers then downloaded all updates it needs from
Microsoft instead of our WSUS servers. I caught this within 1 hour of
the change. Event logs for 150 out of 250 servers states Updates
were downloaded and scheduled to install tonight (basic windows
settings). I then re-applied the GPO to the servers OU and the
servers are back to original configuration. How do I cancel the
pending Updates? Will the GPO cancel those?

Any help appreciated.

Forwarded to the WSUS newsgroup for the poster's convenience:

Web-based newsreader:
http://www.microsoft.com/technet/com...pdate_services

For NNTP reader:
news://msnews.microsoft.com/microsof...pdate_services


MowGreen [MVP 2003-2008]
===============
*-343-* FDNY
Never Forgotten
===============


wrote:

> An admin accidentaly removed the group policy for server upates from
> the servers OU. The servers then downloaded all updates it needs from
> Microsoft instead of our WSUS servers. I caught this within 1 hour of
> the change. Event logs for 150 out of 250 servers states Updates
> were downloaded and scheduled to install tonight (basic windows
> settings). I then re-applied the GPO to the servers OU and the
> servers are back to original configuration. How do I cancel the
> pending Updates? Will the GPO cancel those?
>
> Any help appreciated.

wrote:

> An admin accidentaly removed the group policy for server upates from
> the servers OU. The servers then downloaded all updates it needs from
> Microsoft instead of our WSUS servers. I caught this within 1 hour of
> the change. Event logs for 150 out of 250 servers states Updates
> were downloaded and scheduled to install tonight (basic windows
> settings). I then re-applied the GPO to the servers OU and the
> servers are back to original configuration. How do I cancel the
> pending Updates? Will the GPO cancel those?

I would expect the pending updates to be cancelled provided a detection takes
place before they are due.

You can check by logging into one of the servers, running

wuauclt /detectnow

waiting ten minutes and then looking in WindowsUpdate.log to see what it says.
Also look for the yellow shield in the task bar, it should go away once there
are no updates waiting to install.

You may need to run wuauclt /detectnow on each of the affected servers, or
change the GPO again to make the detection interval small enough to ensure a
detection takes place before the installation time is due. Remember it takes a
few hours for any GPO changes to kick in.

Harry.

"MowGreen [MVP]" <> wrote in message
news:#...

> wrote:
>
>> An admin accidentaly removed the group policy for server upates from
>> the servers OU. The servers then downloaded all updates it needs from
>> Microsoft instead of our WSUS servers.

Let's chat for a second about realities of Group Policy. Merely removing a
GPO from Active Directory will *NOT* cause servers to change the contents of
registry configuration values already set.

You also have to have one of these things occurring simultaneously to cause
a server to update using AU:
[a] A configured Local Policy that's been regularly overridden by the
Group Policy,
=AND= the server is rebooted after removal of the GPO, allowing
the Local Policy to be enforced.

[b] A configured (and conflicting) Group Policy that's been suppressed
by this higher priority GPO.

[c] A local administrator browsing to Windows Update to install the
updates that aren't coming from WSUS.

Whether the WUA used AU or WU/MU can be readily determined by the content of
the log entries in %windir%\WindowsUpdate.log.

>> I caught this within 1 hour of the change.
>> Event logs for 150 out of 250 servers states Updates
>> were downloaded and scheduled to install tonight (basic windows
>> settings). I then re-applied the GPO to the servers OU and the
>> servers are back to original configuration. How do I cancel the
>> pending Updates? Will the GPO cancel those?

Yes, the WUA should have executed another detection (with the WSUS Server)
upon reapplication of the primary policy, and that detection would have
enforced the non-approvals on any content downloaded that was not approved
for installation. For updates that were approved, the installation should
have occurred at the scheduled time.

But, you still need to ferret out the source of the conflicting policy(s)
and purge them.

--
Lawrence Garvin, M.S., MCITP, MCBMSP, MCTS(x4), MCP
Senior Data Architect, APQC, Houston, Texas
Microsoft MVP - Software Distribution (2005-2008)

MS WSUS Website: http://www.microsoft.com/wsus
My Websites: http://www.onsitechsolutions.com;
http://wsusinfo.onsitechsolutions.com
My MVP Profile: http://mvp.support.microsoft.com/pro...awrence.Garvin

Lawrence Garvin [MVP] wrote:

>>> An admin accidentaly removed the group policy for server upates from
>>> the servers OU. The servers then downloaded all updates it needs from
>>> Microsoft instead of our WSUS servers.
>
> Let's chat for a second about realities of Group Policy. Merely removing
> a GPO from Active Directory will *NOT* cause servers to change the
> contents of registry configuration values already set.

That's usually the case (AFAIK) for policy under the Administrative templates
tree, but a quick test shows that it isn't true for the Automatic Updates
policy. When the policy was removed the settings disappeared. (My test box was
running Windows XP service pack 3, but presumably other OSes will behave the
same in this regard.)

Of course, I'd have expected everything to revert back to the default settings,
which shouldn't have caused anything to happen except perhaps the presentation
of the setup wizard. I'm not quite sure how the described symptoms would have
come about; perhaps the group policy only controlled the WSUS URL and the
operational mode was set from the local control panel.

Harry.