WSUS 3 issue

I have been using WSUS 2 with group policy for some and just started testing
with WSUS 3.
I changed the policy for a few machines to point them to the WSUS 3 server.
They all showed up there and indicated they needed updates. I approved the
updates and none of the machines installed them. I waited for a few days and
nothing happened. Then I set a deadline to the updates and they all
installed. This is fine expect for one thing. One of the machines I am
testing with is a server. The group policy configuration for that machine
specifically says notify for download and notify for install. This always
worked as expected with WSUS 2. With WSUS 3, that machine never notified that
there was an update available. As soon as the deadline was applied on the
updates, that machine installed them and rebooted that night.
1. Do I always have to set a deadline to get the updates installed? This
seems very tedious.
2. Does setting a deadline override the notify settings in the group policy
and force an automatic install? This makes for way more work on the approval
settings to prevent unexpected reboots.

[[ Right pew, wrong church. Forwarded to WSUS newsgroup
(microsoft.public.windows.server.update_services) via crosspost as a
convenience to OP.

On the web:
http://www.microsoft.com/communities...pdate_services

In your newsreader:
news://msnews.microsoft.com/microsof...pdate_services
]]

Doug P wrote:
> I have been using WSUS 2 with group policy for some and just started
> testing
> with WSUS 3.
> I changed the policy for a few machines to point them to the WSUS 3
> server.
> They all showed up there and indicated they needed updates. I approved the
> updates and none of the machines installed them. I waited for a few days
> and
> nothing happened. Then I set a deadline to the updates and they all
> installed. This is fine expect for one thing. One of the machines I am
> testing with is a server. The group policy configuration for that machine
> specifically says notify for download and notify for install. This always
> worked as expected with WSUS 2. With WSUS 3, that machine never notified
> that there was an update available. As soon as the deadline was applied on
> the updates, that machine installed them and rebooted that night.
> 1. Do I always have to set a deadline to get the updates installed? This
> seems very tedious.
> 2. Does setting a deadline override the notify settings in the group
> policy
> and force an automatic install? This makes for way more work on the
> approval
> settings to prevent unexpected reboots.

Navigating the tree structure to find the right group in which to post can be
tedious and sometimes nearly impossible. I did a search for WSUS stuff and
found "microsoft.public.windows.server.update_servic es" but, needless to say,
I was unable to translate this to the tree structure
servers-management-windows update. Consistent naming would be extremely
helpful.


"PA Bear [MS MVP]" wrote:

> [[ Right pew, wrong church. Forwarded to WSUS newsgroup
> (microsoft.public.windows.server.update_services) via crosspost as a
> convenience to OP.
>
> On the web:
> http://www.microsoft.com/communities...pdate_services
>
> In your newsreader:
> news://msnews.microsoft.com/microsof...pdate_services
> ]]
>
> Doug P wrote:
> > I have been using WSUS 2 with group policy for some and just started
> > testing
> > with WSUS 3.
> > I changed the policy for a few machines to point them to the WSUS 3
> > server.
> > They all showed up there and indicated they needed updates. I approved the
> > updates and none of the machines installed them. I waited for a few days
> > and
> > nothing happened. Then I set a deadline to the updates and they all
> > installed. This is fine expect for one thing. One of the machines I am
> > testing with is a server. The group policy configuration for that machine
> > specifically says notify for download and notify for install. This always
> > worked as expected with WSUS 2. With WSUS 3, that machine never notified
> > that there was an update available. As soon as the deadline was applied on
> > the updates, that machine installed them and rebooted that night.
> > 1. Do I always have to set a deadline to get the updates installed? This
> > seems very tedious.
> > 2. Does setting a deadline override the notify settings in the group
> > policy
> > and force an automatic install? This makes for way more work on the
> > approval
> > settings to prevent unexpected reboots.
>
>

"PA Bear [MS MVP]" <> wrote in message
news:...

> Doug P wrote:

>> I changed the policy for a few machines to point them to the WSUS 3
>> server.

>> They all showed up there and indicated they needed updates. I approved
>> the
>> updates and none of the machines installed them. I waited for a few days
>> and nothing happened. Then I set a deadline to the updates and they all
>> installed.

So, what was the AUOptions value configured for those test machines,
particularly the server.

I'd make an educated guess that they didn't install the updates because
AUOptions=3, and they were waiting for an Administrator to install them.
However, when you set the deadline, and the deadline expired, the behavior
was "by design" -- the deadlines forced the IMMEDIATE installation of all of
those deadlined updates, overriding any configuration set in policy.

This is an important point to remember about deadlines, and this behavior
has not changed since in the introduction of deadlines with WSUS 2.0 in
2005 -- Deadlines override ALL policy settings, and force the installation
AND RESTART immediately upon expiration of the deadline.

>> As soon as the deadline was applied on
>> the updates, that machine installed them and rebooted that night.

The key here is whether:
[a] The machine has a *scheduled* installation event.
[b] The update was actually downloaded and scheduled for installation
prior to that event.
[c] The deadline was not yet expired.

>> 1. Do I always have to set a deadline to get the updates installed?

No.

However, if a machine has AUOption=3, it is one way to avoid the need to
have an administrator log onto the machine and install the updates
interactively.

You can use AUOption=3, normal approvals on updates, to ensure updates are
downloaded to all machines, and then use the deadline to control the start
of your installation/restart time. Warning: If the update is not yet
downloaded, a deadline will force the installation/restart at the point when
the download does finally succeed, so be particularly cautious of this
aspect of deadline behavior -- so this methodology would require you to
confirm that the update(s) are downloaded to all affected machines before
imposing the deadline.


>> 2. Does setting a deadline override the notify settings in the group
>> policy and force an automatic install?

Absolutely.


>> This makes for way more work on the approval settings to prevent
>> unexpected reboots.

No, it just requires the WSUS Admin to be aware of the impact of decisions
made, and make those decisions according to the behavior desired, and
acceptable. Deadlines should only be used where it's absolutely required
that an update is installed and functional by a specified date. Deadlines
should *never* be used on a server where unanticipated restarts cannot be
tolerated.



--
Lawrence Garvin, M.S., MCITP(x2), MCTS(x5), MCP(x7), MCBMSP
Principal/CTO, Onsite Technology Solutions, Houston, Texas
Microsoft MVP - Software Distribution (2005-2009)

MS WSUS Website: http://www.microsoft.com/wsus
My Websites: http://www.onsitechsolutions.com;
http://wsusinfo.onsitechsolutions.com
My MVP Profile: http://mvp.support.microsoft.com/pro...awrence.Garvin

The workstations were set for 4 - Auto download and schedule the install. The
schedule was set for every day at 0400. They did not do the install after at
least 4 days or so.
The server was set for 2 - notify for download and install. I logged onto
the server several times over the same 4 days or so and never received a
notification that there were updates. I am an administrator.

"Lawrence Garvin (MVP)" wrote:

> "PA Bear [MS MVP]" <> wrote in message
> news:...
>
> > Doug P wrote:
>
> >> I changed the policy for a few machines to point them to the WSUS 3
> >> server.
>
> >> They all showed up there and indicated they needed updates. I approved
> >> the
> >> updates and none of the machines installed them. I waited for a few days
> >> and nothing happened. Then I set a deadline to the updates and they all
> >> installed.
>
> So, what was the AUOptions value configured for those test machines,
> particularly the server.
>
> I'd make an educated guess that they didn't install the updates because
> AUOptions=3, and they were waiting for an Administrator to install them.
> However, when you set the deadline, and the deadline expired, the behavior
> was "by design" -- the deadlines forced the IMMEDIATE installation of all of
> those deadlined updates, overriding any configuration set in policy.
>
> This is an important point to remember about deadlines, and this behavior
> has not changed since in the introduction of deadlines with WSUS 2.0 in
> 2005 -- Deadlines override ALL policy settings, and force the installation
> AND RESTART immediately upon expiration of the deadline.
>
> >> As soon as the deadline was applied on
> >> the updates, that machine installed them and rebooted that night.
>
> The key here is whether:
> [a] The machine has a *scheduled* installation event.
> [b] The update was actually downloaded and scheduled for installation
> prior to that event.
> [c] The deadline was not yet expired.
>
> >> 1. Do I always have to set a deadline to get the updates installed?
>
> No.
>
> However, if a machine has AUOption=3, it is one way to avoid the need to
> have an administrator log onto the machine and install the updates
> interactively.
>
> You can use AUOption=3, normal approvals on updates, to ensure updates are
> downloaded to all machines, and then use the deadline to control the start
> of your installation/restart time. Warning: If the update is not yet
> downloaded, a deadline will force the installation/restart at the point when
> the download does finally succeed, so be particularly cautious of this
> aspect of deadline behavior -- so this methodology would require you to
> confirm that the update(s) are downloaded to all affected machines before
> imposing the deadline.
>
>
> >> 2. Does setting a deadline override the notify settings in the group
> >> policy and force an automatic install?
>
> Absolutely.
>
>
> >> This makes for way more work on the approval settings to prevent
> >> unexpected reboots.
>
> No, it just requires the WSUS Admin to be aware of the impact of decisions
> made, and make those decisions according to the behavior desired, and
> acceptable. Deadlines should only be used where it's absolutely required
> that an update is installed and functional by a specified date. Deadlines
> should *never* be used on a server where unanticipated restarts cannot be
> tolerated.
>
>
>
> --
> Lawrence Garvin, M.S., MCITP(x2), MCTS(x5), MCP(x7), MCBMSP
> Principal/CTO, Onsite Technology Solutions, Houston, Texas
> Microsoft MVP - Software Distribution (2005-2009)
>
> MS WSUS Website: http://www.microsoft.com/wsus
> My Websites: http://www.onsitechsolutions.com;
> http://wsusinfo.onsitechsolutions.com
> My MVP Profile: http://mvp.support.microsoft.com/pro...awrence.Garvin
>
>

"Doug P" <> wrote in message
news:7B4AC3F5-5E33-49AC-93FD-...
> The workstations were set for 4 - Auto download and schedule the install.
> The
> schedule was set for every day at 0400. They did not do the install after
> at
> least 4 days or so.

Then let's look at the log entries for 4:00am on one of these machines and
determine why the installation is not occuring as scheduled.

The first presumption is that the machines were actually powered on at 4am.


> The server was set for 2 - notify for download and install. I logged onto
> the server several times over the same 4 days or so and never received a
> notification that there were updates.

Maybe there weren't any updates to install at that time?

Review the WindowsUpdate.log and determine when the updates were actually
detected/downloaded to the server.

Nevertheless, the fundamental issue still is a factor of setting the
deadline, which overrides all other policy configurations.

>> However, when you set the deadline, and the deadline expired, the
>> behavior
>> was "by design" -- the deadlines forced the IMMEDIATE installation of all
>> of
>> those deadlined updates, overriding any configuration set in policy.
>>
>> This is an important point to remember about deadlines, and this behavior
>> has not changed since in the introduction of deadlines with WSUS 2.0 in
>> 2005 -- Deadlines override ALL policy settings, and force the
>> installation
>> AND RESTART immediately upon expiration of the deadline.


--
Lawrence Garvin, M.S., MCITP(x2), MCTS(x5), MCP(x7), MCBMSP
Principal/CTO, Onsite Technology Solutions, Houston, Texas
Microsoft MVP - Software Distribution (2005-2009)

MS WSUS Website: http://www.microsoft.com/wsus
My Websites: http://www.onsitechsolutions.com;
http://wsusinfo.onsitechsolutions.com
My MVP Profile: http://mvp.support.microsoft.com/pro...awrence.Garvin

I think this has resolved itself somehow. If it happens again, I'll check the
logs.

"Lawrence Garvin (MVP)" wrote:

> "Doug P" <> wrote in message
> news:7B4AC3F5-5E33-49AC-93FD-...
> > The workstations were set for 4 - Auto download and schedule the install.
> > The
> > schedule was set for every day at 0400. They did not do the install after
> > at
> > least 4 days or so.
>
> Then let's look at the log entries for 4:00am on one of these machines and
> determine why the installation is not occuring as scheduled.
>
> The first presumption is that the machines were actually powered on at 4am.
>
>
> > The server was set for 2 - notify for download and install. I logged onto
> > the server several times over the same 4 days or so and never received a
> > notification that there were updates.
>
> Maybe there weren't any updates to install at that time?
>
> Review the WindowsUpdate.log and determine when the updates were actually
> detected/downloaded to the server.
>
> Nevertheless, the fundamental issue still is a factor of setting the
> deadline, which overrides all other policy configurations.
>
> >> However, when you set the deadline, and the deadline expired, the
> >> behavior
> >> was "by design" -- the deadlines forced the IMMEDIATE installation of all
> >> of
> >> those deadlined updates, overriding any configuration set in policy.
> >>
> >> This is an important point to remember about deadlines, and this behavior
> >> has not changed since in the introduction of deadlines with WSUS 2.0 in
> >> 2005 -- Deadlines override ALL policy settings, and force the
> >> installation
> >> AND RESTART immediately upon expiration of the deadline.
>
>
> --
> Lawrence Garvin, M.S., MCITP(x2), MCTS(x5), MCP(x7), MCBMSP
> Principal/CTO, Onsite Technology Solutions, Houston, Texas
> Microsoft MVP - Software Distribution (2005-2009)
>
> MS WSUS Website: http://www.microsoft.com/wsus
> My Websites: http://www.onsitechsolutions.com;
> http://wsusinfo.onsitechsolutions.com
> My MVP Profile: http://mvp.support.microsoft.com/pro...awrence.Garvin
>
>