5

I use WSUS to patch a number of Windows Server 2008 R2 x64. It usually works great, until today.

Last week Microsoft shipped a critical patch KB2992611 to fix critical problems in the crypto library ("the SChannel patch"). I used the WSUS deadline feature in order to deploy the patch immediately (out of office hours). However, It was soon revealed that the patch had bugs, so Microsoft shipped an updated version 2 of the patch. When WSUS picked the version 2 patch up, it immediately patched and rebooted all my production machines, since the patch was still marked as having a deadline. This was probably not was Microsoft had in mind, and it was certainly not on mine.

Andreas F
  • 181
  • 1
  • 5
  • 1
    If you have an answer to your own question, please post it as an answer—it's entirely okay, and you can accept it 48 hours after you posted your question. – bwDraco Nov 20 '14 at 00:37

2 Answers2

3

Answer: Never use the WSUS deadline feature on production servers - always update and reboot manually. Using it means risk of unplanned downtime.

Andreas F
  • 181
  • 1
  • 5
  • That's a bit drastic. If you have _removed_ the deadline after applying the patch, you would have been fine. But yeah, leaving an old active deadline is asking for unexpected things later. – Joel Coel Nov 20 '14 at 15:14
0

WSUS, at least on Server 2016, can disable such behaviour. In the GUI, look at Options, Automatic Approvals, Advanced tab. There's an option in there 'Automatically approve new revisions of updates that are already approved' - this defaults to enabled, you can disable it.

Chalky
  • 141
  • 4