Vista machine loses Group Policy WSUS setting, switches to update.

A Vista machine joined to the domain connects to the proper WSUS server that
is enforced through Group Policy. No self-update is required, and no updates
are detected. The WindowsUpdate.log shows proper connection to the server.
An hour later, these lines appear in the log (machine still on the wire,
joined to the domain):

2009-12-01 20:50:24:669 1056 970 AU AU received policy change subscription
event
2009-12-01 22:46:45:707 1056 970 AU AU received policy change subscription
event
2009-12-02 00:45:01:353 1056 970 AU AU received policy change subscription
event
2009-12-02 02:28:15:327 1056 970 AU AU received policy change subscription
event
2009-12-02 03:00:09:990 1056 970 AU Forced install timer expired for
scheduled install
2009-12-02 03:00:09:990 1056 970 AU UpdateDownloadProperties: 0 download(s)
are still in progress.
2009-12-02 03:00:09:990 1056 970 AU Setting AU scheduled install time to
2009-12-03 08:00:00
2009-12-02 04:06:29:936 1056 970 AU AU received policy change subscription
event
2009-12-02 05:59:47:279 1056 970 AU AU received policy change subscription
event
2009-12-02 07:40:00:795 1056 970 AU AU received policy change subscription
event
2009-12-02 08:06:58:595 1056 e78 AU Triggering AU detection through
DetectNow API
2009-12-02 08:06:58:595 1056 e78 AU Triggering Online detection
(interactive) non-default

After this, machine connects to
http://update.microsoft.com/v8/micro...dir/MUAuth.cab, and
determines that a self-update is required.

Any ideas why the machine would suddenly go to microsoft.com for updates?
About an hour later, the Group Policy was back in effect.

"breaker19" <> wrote in message
news:9F911D85-25A0-44CD-8224-...

>A Vista machine joined to the domain connects to the proper WSUS server
>that
> is enforced through Group Policy. No self-update is required, and no
> updates
> are detected. The WindowsUpdate.log shows proper connection to the
> server.
> An hour later, these lines appear in the log (machine still on the wire,
> joined to the domain):
>
> 2009-12-01 20:50:24:669 1056 970 AU AU received policy change subscription
> event

> 2009-12-02 03:00:09:990 1056 970 AU Forced install timer expired for
> scheduled install

> 2009-12-02 03:00:09:990 1056 970 AU Setting AU scheduled install time to
> 2009-12-03 08:00:00

> 2009-12-02 04:06:29:936 1056 970 AU AU received policy change subscription
> event

> After this, machine connects to
> http://update.microsoft.com/v8/micro...dir/MUAuth.cab, and
> determines that a self-update is required.

The selfupdate is likely required because WU/MU offers the newest
(v7.4.7600.276) WUAgent, and if you've not yet upgraded to WSUS v3 SP2, then
your WSUS Server is still serving up a downlevel WUAgent, and your client
systems are likely still running with the downlevel WUAgent.

> Any ideas why the machine would suddenly go to microsoft.com for updates?
> About an hour later, the Group Policy was back in effect.

Conflicting Group Policies is what it looks like to me. I'd venture that
you've got two different policies configured to specific update services
behavior -- one is configured to point to the WSUS Server, and the other,
wherever it is, would have to have "Specify intranet Microsoft update
services location" set to *DISABLED* in order to force it to change the
registry value and revert to using AU instead of WSUS.

My suggestion is to run an RSOP on this client and find out which policies
are being applied, and then visually inspect the settings for the "Windows
Update" policies in each of those GPOs and make sure that only one GPO has
values set to something other than "Not Configured".



--
Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
Principal/CTO, Onsite Technology Solutions, Houston, Texas
Microsoft MVP - Software Distribution (2005-2009)

My Blog: http://onsitechsolutions.spaces.live.com
Microsoft WSUS Website: http://www.microsoft.com/wsus
My MVP Profile: http://mvp.support.microsoft.com/pro...awrence.Garvin