From WindowsUpdate.log (this is from different server than before, so I see the
“Agent” is in charge here):
“2015-05-23 02:00:03:150 416 3014 PT
Initializing simple targeting cookie, clientId =
616408b4-eb82-4c8f-b496-c3e9c1c433f3, target group = , DNS name = <FQDN>”
“2015-05-23 02:01:39:230 416 3014 Report REPORT
EVENT: {A4F0A425-39CB-43B3-B24E-88D9D85CFA99} 2015-05-23
02:01:39:137-0400 1 147 101
{00000000-0000-0000-0000-000000000000} 0 0
CcmExec Success Software Synchronization Windows
Update Client successfully detected 243 updates.
2015-05-23 02:01:39:230 416 3014 Report REPORT
EVENT: {AFDDC99D-60FF-4ACC-A555-DE701EBF67AD} 2015-05-23
02:01:39:137-0400 1 156 101
{00000000-0000-0000-0000-000000000000} 0 0 CcmExec
Success Pre-Deployment Check Reporting client status.”
And later, after the install but before checking reboot status:
“2015-05-23 02:55:11:628 240 1264 Agent * Target
group: (Unassigned Computers)”
This group (Unassigned Computers) is from the WSUS server, correct? I have
some systems populated in this group. My question is, are there supposed to be
any systems populated in this group in the WSUS console. If not, then maybe
something is configured incorrectly. I did not configure WSUS upon install,
but let SCCM do it, but who knows. I can’t be coincidence, however, that these
updates installed at around 2:00 am on Saturday morning, which is exactly when
I had this deployment scheduled to run.
I checked auditing logs but could only find deployments for packages, not
software updates.
Also, I has seen this happen live and checked the records in the SCCM console
and even thought the server was running updates, via Software Center, there
were no deployments in the Deployments tab in the properties of the record.
Thanks.
From: [email protected] [mailto:[email protected]] On
Behalf Of elsalvoz
Sent: Tuesday, May 26, 2015 10:40 AM
To: [email protected]
Subject: Re: [mssms] RE: Software Updates Applied to Servers Without Approval
Well, that means somehow they were targeted with those updates. You don't need
to use SUGs to target an update, they can be done individually. You may be able
to find a report that gives you some details but logs would be the primary
source of info.
Another theory would have been WSUS being used outside SCCM but would not show
up in system center app.
Maybe they were made available and removed after. You can check audit message
in monitoring.
Cesar A
On May 26, 2015 7:03 AM, "Gushue, William"
<[email protected]<mailto:[email protected]>> wrote:
I don’t believe anyone else triggered it. I am more concerned about the fact
that they were targeted in the first place. As these servers were in no
collection that had a Software Update Group targeted to them it, I would assume
that even if they did check for updates against SCCM they would have seen that
nothing was “approved” for the servers and had done nothing. But they did show
up in Software Center (that is how the admins knew it was happening) and they
did reboot (some were being monitored at the time and some weren’t).
Never thought to use Maintenance Windows in that fashion – something to think
about. Thanks.
From: [email protected]<mailto:[email protected]>
[mailto:[email protected]<mailto:[email protected]>]
On Behalf Of Mote, Todd
Sent: Tuesday, May 26, 2015 9:28 AM
To: [email protected]<mailto:[email protected]>
Subject: [mssms] RE: Software Updates Applied to Servers Without Approval
Both can be active at the same time, so sure, they could show up in Software
Center and then get installed by Automatic Updates. Equal opportunity, first
come first serve. ☺ I have a group policy that specifically turns off
Automatic Updates, that I apply to my SCCM clients that use Software Updates to
patch.
Also, make liberal use of Maintenance Windows when patching servers.
Maintenance Windows will make sure you don’t have to worry about SCCM doing
anything until the time you set the maintenance window for. That way it’s easy
to rule out SCCM as a culprit. And you have the flexibility of setting a
window to expire in the past and never having SCCM do anything.
Another thing that bites folks, usually just once, is UTC. Some one way or
another the deployment gets set to happen at UTC rather than local time and it
can seem as though SCCM randomly did something, when in reality, over in
Greenwich, it was exactly the time it was told to do whatever it was told to do.
Another possibility... Are you the only one that could initiate installs? Is
there another administrator that might have started things via Software Center?
Todd
From: [email protected]<mailto:[email protected]>
[mailto:[email protected]] On Behalf Of Gushue, William
Sent: Tuesday, May 26, 2015 8:10 AM
To: [email protected]<mailto:[email protected]>
Subject: [mssms] RE: Software Updates Applied to Servers Without Approval
Another question, though: If they are installed via AU, would this information
still show up in Software Center? The notifications were displayed in Software
Center and it was Software Center that actually performed the reboot (Event
Viewer shows Ccmexec performing the reboot).
From: [email protected]<mailto:[email protected]>
[mailto:[email protected]] On Behalf Of Mote, Todd
Sent: Monday, May 25, 2015 9:06 PM
To: myITforum SMS List
([email protected]<mailto:[email protected]>)
Subject: [mssms] RE: Software Updates Applied to Servers Without Approval
UX usually means ‘user experience’, but you’ve got some other key words in
there like, ‘AU’ and ‘interactive’. Do these servers have Automatic Updates
Group Policy applied anywhere?
In c:\windows\ccm\logs you should be able to see stuff around the scan in
updatesdeployment.log, scanagent.log, datatransferservice.log,
updateshandler.log, updatesstore.log and wuahandler.log to see all of the
updates.
Also, in windowsupdate.log you should see more stuff like this:
2015-05-25 19:14:24:752 5272 14f4 COMAPI
-- START -- COMAPI: Search [ClientId = CcmExec]
2015-05-25 19:14:24:752 5272 14f4 COMAPI
---------
2015-05-25 19:14:24:753 940 c14 Agent
*************
2015-05-25 19:14:24:753 940 c14 Agent ** START
** Agent: Finding updates [CallerId = CcmExec]
2015-05-25 19:14:24:753 940 c14 Agent *********
2015-05-25 19:14:24:753 940 c14 Agent *
Include potentially superseded updates
2015-05-25 19:14:24:753 940 c14 Agent *
Online = No; Ignore download priority = Yes
2015-05-25 19:14:24:753 940 c14 Agent *
Criteria = "((DeploymentAction=* AND Type='Software' AND CategoryIDs contains
'84F5F325-30D7-41C4-81D1-87A0E6535B66') OR (DeploymentAction=* AND
Type='Software' AND CategoryIDs contains
'704A0A4A-518F-4D69-9E03-10BA44198BD5') OR (DeploymentAction=* AND
Type='Software' AND CategoryIDs contains
'6248B8B1-FFEB-DBD9-887A-2ACF53B09DFE') OR (DeploymentAction=* AND
Type='Software' AND CategoryIDs contains
'1403F223-A63F-F572-82BA-C92391218055') OR (DeploymentAction=* AND
Type='Software' AND CategoryIDs contains
'041E4F9F-3A3D-4F58-8B2F-5E6FE95C4591') OR (DeploymentAction=* AND
Type='Software' AND CategoryIDs contains
'B54E7D24-7ADD-428F-8B75-90A396FA584F') OR (DeploymentAction=* AND
Type='Software' AND CategoryIDs contains
'0FA1201D-4330-4FA8-8AE9-B877473B6441'))"
2015-05-25 19:14:24:753 940 c14 Agent *
ServiceID = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7} Managed
2015-05-25 19:14:24:753 940 c14 Agent *
Search Scope = {Machine}
2015-05-25 19:14:24:753 940 c14 Agent *
Caller SID for Applicability: S-1-5-18
2015-05-25 19:14:24:758 5272 14f4 COMAPI
<<-- SUBMITTED -- COMAPI: Search [ClientId = CcmExec]
2015-05-25 19:14:27:089 940 c14 Agent *
Added update {BDB0E301-5660-4DB8-A396-F3C9C0C10776}.201 to search result
2015-05-25 19:14:27:090 940 c14 Agent *
Added update {D391DE02-B9A1-4C5B-B8C1-7ECCA958ACDF}.203 to search result
2015-05-25 19:14:27:090 940 c14 Agent *
Added update {92504704-BF09-4CE5-8436-90B6AE8A842A}.201 to search result
2015-05-25 19:14:27:090 940 c14 Agent *
Added update {28904808-0DBB-4812-9A9A-7E9977ADE38A}.202 to search result
2015-05-25 19:14:27:090 940 c14 Agent *
Added update {09257309-72A1-4622-B9DA-610B9E037E2E}.201 to search result
2015-05-25 19:14:27:090 940 c14 Agent *
Added update {C822D00A-FEC3-4B65-8F63-6E6BEA292944}.203 to search result
That 5th column in yours shows ‘AU’ which typically means Auto Update, and not
‘Agent’ like mine above which should be your sccm client doing stuff.
Looks to me like they did what they were told, it just wasn’t SCCM. Maybe WSUS
via Group Policy?
Todd
From: [email protected]<mailto:[email protected]>
[mailto:[email protected]] On Behalf Of Gushue, William
Sent: Monday, May 25, 2015 2:10 PM
To: myITforum SMS List
([email protected]<mailto:[email protected]>)
Subject: [mssms] Software Updates Applied to Servers Without Approval
I configured a Software Update Group to deploy to a group of servers this past
weekend. A number of other servers ended up installing the updates. I have:
1. Checked the collection (which I have since deleted) to ensure the correct
servers were added.
2. Checked the Properties of the servers that received the updates (even though
they shouldn’t have) and there were NO deployments in the Deployments tab.
3. Checked reports and they tell me the updates were required, but there was no
check mark under “Approved”
4. Checked for Duplicate GUIDs and there are none that apply.
5. Checked the Windows Update log file and see the following:
“2015-05-25 10:26:07:179 1224 5b5c AU
AU received approval from UX for 43 updates
2015-05-25 10:26:07:179 1224 5b5c AU AU
setting pending client directive to 'Progress Ux'
2015-05-25 10:26:07:303 1224 5b5c AU
BeginInteractiveInstall invoked for Download
2015-05-25 10:26:07:303 1224 5b5c AU
Auto-approving update for download, updateId =
{0087DF01-B453-4F5E-B5B4-E61911BCF5A8}.200, ApprovalIsForUx=1, UpdateOwner=UX,
HasDeadline=0, IsMinor=0” – which indicates something approved them, but I am
not sure what “UX” means.
Is there anywhere on the client itself where I can see something to the effect
“I am supposed to apply these updates and it’s because I am in this
collection”? I have been using PolicySpy and checking PolicyEvaluator and
PolicyAgent but have yet to come across why these updates got approved for
these systems. I am usually pretty good at tracking down my own mistakes, but
this one has me stumped.
Thanks.
________________________________
********************************************************************
This e-mail message is privileged, confidential and subject to
copyright. Any unauthorized use or disclosure is prohibited.
Le contenu du présent courriel est privilégié, confidentiel et
soumis à des droits d'auteur. Il est interdit de l'utiliser ou
de le divulguer sans autorisation.
********************************************************************
