Windows Server 2008 rebooted after auto installing updates

I have a Windows 2008 server that automatically rebooted. On investigation
it rebooted after serveral updates had been automatically installed. I have
a GPO in place that prompts an Admin to install updates.

I use a WSUS 3.0 server running on Windows Server 2003 SP2 and have no rules
for Automatic Approvals but do have "Automatically approve new revisions"
checked. I checked the update log and found that 8 updates had been
"Auto-Approved for download" and that the HasDeadline option was set to 1.
The server downloaded and installed the updates and then rebooted the server.

Can anyone explain why this happened and how I stop it from happening again?

"John James" <> wrote in message
news:F65F038C-BEEC-43F8-B352-...
> I have a Windows 2008 server that automatically rebooted. On
> investigation
> it rebooted after serveral updates had been automatically installed.

> I have a GPO in place that prompts an Admin to install updates.

No... you don't... because there is no such policy setting available. I
submit you have misinterpreted the intent of whichever policy setting you
believe provides this behavior. There is a policy setting which blocks the
use of Scheduled Installations (Configure Automatic Updates | AUOption=3),
and there is a policy setting which blocks the automatic download of
approved content (Configure Automatic Updates | AUOption=2), but neither of
those policy settings has anything to do with an Admin being prompted to
install updates.

An Administative User will *ALWAYS* be prompted to install updates if they
have been downloaded. No policy required. (Note:This behavior can be blocked
with one or more of the policy settings designed to block access to the
WUAgent UI and/or WindowsUpdate, but using those policies necessitates the
use of AUOption=4 (Scheduled Installations) or updates would never get
installed at all.

Extensive details concerning the various WUAgent policy settings can be
found in the WSUS3SP2 Deployment Guide at
http://technet.microsoft.com/en-us/l...33(WS.10).aspx



> I use a WSUS 3.0 server running on Windows Server 2003 SP2 and have no
> rules
> for Automatic Approvals but do have "Automatically approve new revisions"
> checked. I checked the update log and found that 8 updates had been
> "Auto-Approved for download" and that the HasDeadline option was set to 1.
>
> The server downloaded and installed the updates and then rebooted the
> server.
>
> Can anyone explain why this happened and how I stop it from happening
> again?

"WSUS Required" updates, of which there are only three or four, and none
newer than a year ago, are automatically approved in all circumstances;
assuming the "8 updates" to which you refer are none of those; then the only
way to configure the hasDeadline option is for a *HUMAN* to set that
value -- regardless of when/where/how the updates might have been approved.

You can review the Change.LOG logfile found in
%ProgramFiles%\UpdateServices\Logfiles to determine what account was used to
approve updates and/or configure deadlines, and when those actions were
taken.


--
Lawrence Garvin, M.S., MCITP:EA, MCDBA
Principal/CTO, Onsite Technology Solutions, Houston, Texas
Microsoft MVP - Software Distribution (2005-2009)

MS WSUS Website: http://www.microsoft.com/wsus
My MVP Profile: http://mvp.support.microsoft.com/pro...awrence.Garvin

Hello Lawrence, Thanks for getting back to me.

You are right I have option 3 set in my GPO which I believe should just
download the update and not install an update without intervention.

I found out that someone had approved the updates and assigned a deadline.

I am also seeing that the Windows 2008 Server keeps disappearing and
reappearing in the WSUS console. Have you seen this before?

Regards, John

"John James" <> wrote in message
news:561F9946-6990-45FA-A703-...

> I found out that someone had approved the updates and assigned a deadline.

<g>... that's how it always happens.

> I am also seeing that the Windows 2008 Server keeps disappearing and
> reappearing in the WSUS console. Have you seen this before?

Yep. Two possible causes:

1. The server has a duplicated SusClientID, as a result of being built from
an image with a SusClientID present. The remediation for this is to delete
the SusClientID and SusClientValidationID registry values in the
HKLM\Software\Microsoft\Windows\CurrentVersion\Win dowsUpdate registry key.

-or-

2. You have competing policies that are changing the group assignment for
the server and it's bouncing in/out of the assigned group (and may not be
visible if the 'bad' group name doesn't actually exist on the WSUS Server),
or

For #1, you'll have other servers (at least one, the one with the same
duplicated SusClientID) demonstrating the same behavior.

For #2, you can verify the target group assignments by searching for the
"Initializing simple targeting cookie" log entries in the server's
WindowsUpdate.log, particularly during the time periods where the server is
disappearing.



--
Lawrence Garvin, M.S., MCITP:EA, MCDBA
Principal/CTO, Onsite Technology Solutions, Houston, Texas
Microsoft MVP - Software Distribution (2005-2009)

MS WSUS Website: http://www.microsoft.com/wsus
My MVP Profile: http://mvp.support.microsoft.com/pro...awrence.Garvin

I deleted the ClientID and registered the server.

Thanks for all you help, John