Here's a weird one. This past weekend, we applied MS patches on our regular patching schedule. This means: all updates released up til August Patch Tuesday to all servers; all updates released since August up to Sept Patch Tuesday, assigned to a testing group of servers. We've done it this way for years, and we're comfortable with it.
So I made the appropriate approvals last Monday (2015-09-14), and double checked that I approved the proper patches, for the proper groups of servers. And I did. We were all set to go. But on Sunday, the testing group of servers saw all the correct number of patches they should have gotten from the WSUS 3.0 SP2 server (24+, depending on the specific mix of software installed on the server), but all of the production machines said there were no patches to be applied (or at most one). I checked again; all August patched had a status of "Install", so they should have been presented to all servers. (obviously the testing group got these patches last month). I had to remove approval for all patches; re-approve and apply to all children; and *then* the production servers began seeing patches. And I don't know why this happened. Here's a sample snippet from a Windows Update log from one of those clients, from before and after I re-ran the approval.: ============ 2015-09-20 08:54:59:077 996 7e0 Agent * Found 0 updates and 76 categories in search; evaluated appl. rules of 1053 out of 1776 deployed entities 2015-09-20 08:54:59:078 996 7e0 Agent ********* 2015-09-20 08:54:59:079 996 7e0 Agent ** END ** Agent: Finding updates [CallerId = AutomaticUpdates] 2015-09-20 09:12:33:574 996 460 AU Triggering AU detection through DetectNow API 2015-09-20 09:12:33:574 996 460 AU Triggering Online detection (interactive) 2015-09-20 09:12:33:575 996 10a4 AU ############# 2015-09-20 09:12:33:575 996 10a4 AU ## START ## AU: Search for updates 2015-09-20 09:12:33:575 996 10a4 AU ######### 2015-09-20 09:13:06:064 996 7e0 Agent * Found 10 updates and 76 categories in search; evaluated appl. rules of 1053 out of 1776 deployed entities ============ You can see that for some reason, it showed 0 updates waiting. Then, I did my re-approval on the WSUS server, and told the client to check for updates again (via the Control Panel applet). And you can see that it then found 10 updates. So what the heck happened? Why would only 1 group of clients (the testing group) not have any issues seeing any approved patches, yet all the other groups did not? And yet the Update screen properly showed the correct approval status for all patches. All the servers had a check in date that was current (i.e., after the approval was applied last week), so they should all have gotten the list that was assigned to them. And the testing group did, but none of the other groups. SO: 1. Where do I start digging on the WSUS server to find out why it didn't tell all the other groups that patches had been approved that applied to all groups? 2. How do I make sure that the servers got all patches? (delete the client, and do a /resetauthorization /detetcnow? Let it completely rebuild?) 3. How to make sure it never happens again? It wasn't my weekend to work applying patches, but I got called in to fix it and help out, so I am more than slightly annoyed at my WSUS server this morning. LOL
