WSUS Policy being removed

Discussion in 'Update Services' started by Dave Mills, Nov 5, 2009.

  1. Dave Mills

    Dave Mills Guest

    In the past I have thought that the settings on the client for the WSUS server
    remained when a GPO no longer applies to the client. This is not happening now,
    when the GPO making the settings for WSUS (server, update time etc.) is no
    longer applied to a client the client reverts to using Microsoft as the AU
    server.

    Is my memory failing or has this changed recently?
    I am using WSUS 3 SP2
     
    Dave Mills, Nov 5, 2009
    #1
    1. Advertisements

  2. This has not changed, to my knowledge.

    However if there's an existing policy with a lower application priority with
    AU disabled, moving a client out of an OU or unlinking a GPO could cause a
    policy at any other level (Local, Site, Domain) to become "in force".

    I'd run RSOP on the client and see where it's getting the UseWUSerer config
    value from. (i.e. "Specify intranet Microsoft update services location" is
    disabled).


    --
    Lawrence Garvin, M.S., MCITP:EA, MCDBA
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2009)

    My Blog: http://onsitechsolutions.spaces.live.com
    Microsoft WSUS Website: http://www.microsoft.com/wsus
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
     
    Lawrence Garvin [MVP], Nov 5, 2009
    #2
    1. Advertisements

  3. Dave Mills

    Dave Mills Guest

    Thanks for confirming my memory is not at fault :)

    I simply moved the PC to the default "computers" container. There are just 4
    GPOs applied at the domain level and none touch the WSUS settings, there are no
    Site GPOs. As soon as the PC is rebooted I start getting the Yellow Shield
    prompting to set up Auto Update.

    The WSUS setup was done more than 2 years ago and I have not needed to make any
    change to its design since the begriming. The only significant change was the
    installation of WSUS SP2 a couple of weeks ago (installed over SP1). I do not
    move PCs out of the WSUS scope very often so was somewhat surprised when I
    stumbled across this on Wednesday.

    If this has been changed then I am pleased as this would make the behavior
    consistent with normal GPO behavior, i.e. the policy settings are removed when
    the policy no longer applies. I could leave the domain but that would also
    remove the "managed computer" status which could require a full re-deployment to
    fix.

    Pinning this down could become quite a lengthy process so I was hoping somebody
    else might test for this behavior by denying the WSUS GPO settings to an
    existing PC to see if the same thing happens to them in a WSUS SP2 setup.
     
    Dave Mills, Nov 6, 2009
    #3
  4. Did you check the local GPO on the machine itself?
    Time permitting, I'll try this on Monday.

    Harry.
     
    Harry Johnston [MVP], Nov 7, 2009
    #4
  5. Dave Mills

    Dave Mills Guest

    No, I never use it in an AD domain environment and this has been seen on two PC
    so far. One, a laptop, that I first noticed this on and the second a test PC we
    install from an image whenever we need to set things up. Beside if I install an
    image and join the domain. WSUS gets set up by the domain/newbuilds GPO. Moving
    the PC to the Computers container never used to un-configure WSUS but it is
    doing so now.
     
    Dave Mills, Nov 7, 2009
    #5
  6. I can confirm the same behaviour here. When group policy was removed, the
    previous settings (from the AU control panel) were restored.

    Harry.
     
    Harry Johnston [MVP], Nov 8, 2009
    #6
  7. ... but I can't reproduce what I thought the previous behaviour was. Windows
    XP SP2, no updated WUA, no updates of any kind, and the darn thing still reverts
    to the previous settings when the group policy is removed.

    Odd.

    Harry.
     
    Harry Johnston [MVP], Nov 9, 2009
    #7
  8. Dave Mills

    Dave Mills Guest

    Thanks for confirming this Harry. I wonder where the accepted wisdom came from
    then. Has the been changed for a long time and nobody has noticed?

    Still I prefer this as it conforms to expected behaviour for group policy.
     
    Dave Mills, Nov 9, 2009
    #8
  9. This is definitely *new* behavior.


    --
    Lawrence Garvin, M.S., MCITP:EA, MCDBA
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2009)

    My Blog: http://onsitechsolutions.spaces.live.com
    Microsoft WSUS Website: http://www.microsoft.com/wsus
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
     
    Lawrence Garvin [MVP], Nov 9, 2009
    #9
  10. That is wierd... because on numerous occasions I've observed registry values
    "left over" from policy settings changed back to "Not Configured".

    And, maybe this has to with the difference between *removing* the poicy, and
    simply reconfiguring a setting within an existing policy.



    --
    Lawrence Garvin, M.S., MCITP:EA, MCDBA
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2009)

    My Blog: http://onsitechsolutions.spaces.live.com
    Microsoft WSUS Website: http://www.microsoft.com/wsus
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
     
    Lawrence Garvin [MVP], Nov 9, 2009
    #10
  11. All my tests yesterday were based on reconfiguring an existing policy. I didn't
    try deleting a policy object, or moving the computer object out of scope - I'll
    see if I can make time to try this too.

    Harry.
     
    Harry Johnston [MVP], Nov 9, 2009
    #11
  12. Moving the computer object out of scope: no difference. The registry entries
    still disappeared. I wonder if something has changed in the domain?

    Harry.
     
    Harry Johnston [MVP], Nov 9, 2009
    #12
  13. Interesting. I *hate* when they change functionality of something and don't
    document it.

    Who knows when/what changed the behavior; but there are ample examples in
    the wild where people have simply "Not Configured" a setting and encountered
    issues -- the most notable being switching from client-side to server-side
    targeting, and attempting to disable WSUS as the update source.

    Note: This is most likely a change made in the GP client subsystem, not
    anything in WSUS/WUA, since all the WUA does is read the registry (and,
    somehow, respond to policy-initiated changes to key config values,
    triggering a detection when key values are changed).

    The fact that values *do* change would be a change in how the GP client is
    responding to a policy refresh. (OR.. maybe a function of how the GP
    *server* is transmitting the deltas???). Could this be a function of having
    raised domain or forest functional levels in AD DS? Is anybody not running a
    Win2008 Domain Controller, such that this could be tested in a Windows
    Server 2003 (native) AD DS environment?



    --
    Lawrence Garvin, M.S., MCITP:EA, MCDBA
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2009)

    My Blog: http://onsitechsolutions.spaces.live.com
    Microsoft WSUS Website: http://www.microsoft.com/wsus
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
     
    Lawrence Garvin [MVP], Nov 9, 2009
    #13
  14. Dave Mills

    Dave Mills Guest

    I am not sure I follow you, I am running W2003 and have a couple of W2008 member
    servers. However this behavior is exactly what has been documented for GPOs
    since W2000. When a GPO no longer applies the setting (defined under the
    "policies" key) are removed. This needs the client application to "know" about
    policies and remove the unconfigured policies. WSUS was the first exception to
    this I had seen where the setting were not removed but although under the
    "policies" key were retained.

    This requirement for "knowledge" of policies in the client was exactly the
    reason for the introduction of "Preferences" in W2008. These being settings that
    would not be under the "policies" key and thus not require the client
    application to "know" about policies. Preferences tattoo the registry but can
    revert the setting to the default setting upon removal. Note: this is not the
    same as revert to previous setting as per Policies.
     
    Dave Mills, Nov 9, 2009
    #14
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.