2

I have a bunch of AD-joined Windows servers who updates through WSUS. You can see the specific WSUS GPO here: http://imgur.com/a/LHjll

In June an update (KB3159398) was installed that caused problems, so this particular update was declined in WSUS. So far so good.

Since then, I have seen this update beeing installed on multiple servers afterwards, even though this particular update is still blocked in WSUS. According to the Update Services Change.log, the update was blocked and hasn't been installed since.

The update was installed by the SYSTEM-user, so it is not a admininistrator who installed the update.

According to the WindowsUpdate.log from the server, the server didn't register with the WSUS server on this specific day, and the update was downloaded online and not through WSUS:

Agent * WSUS server: NULL

Agent * WSUS status server: NULL

Agent * Target group: (Unassigned Computers)

Agent * Windows Update access disabled: No

How do I debug this further in order to stop this update ever being installed again?

praecox
  • 69
  • 7
  • `this particular update was blocked in WSUS` - How did you block it? Do you mean that you declined it or you unapproved it? Can you show us the status of the update in WSUS? – joeqwerty Sep 21 '16 at 01:23
  • The update was declined in WSUS. I have corrected the wording. A status report confirms that it is "Not approved" for all WSUS computer groups. – praecox Sep 21 '16 at 08:06

2 Answers2

2

After several hints and pointers from different comments, I narrowed in the problem and found a solution. I have updated the question with relevant information.

The WindowsUpdate.log showed that the server didn't register correctly with WSUS, and then did a Windows Update around the WSUS server.

The solution was to block Windows Update, so servers would never update around WSUS. This was done through a Group Policy:

User Configuration > Administrative Templates > Windows Components > Windows Update > Remove access to use all Windows update features

praecox
  • 69
  • 7
  • The issue occurred again. As a computer should not fallback to Windows Update if it's assigned to WSUS, this seems to be a GPO-issue, where the WSUS GPO isn't assigned correctly. – praecox Oct 26 '16 at 13:48
1

If you explicitly blocked the update in WSUS it shouldn't be downloaded from the WSUS server. In the WindowsUpdate.log log do you actually see that the client is connecting to you WSUS server (and not someplace entirely different, like the internet) and downloading the problem update? If the update is not being downloaded but still being installed, it is possible that the update is stuck in the update cache. Try clearing the cache with the following commands:

net stop wuauserv
CD\ 
CD %Windir% 
CD SoftwareDistribution 
DEL /F /S /Q Download
net start wuauserv
wuauclt /detectnow
wrieedx
  • 700
  • 3
  • 11
  • 22
  • I have compared WindowsUpdate.log from several different servers and the update was in fact downloaded online from au.download.windowsupdate.com and not from WSUS. – praecox Sep 21 '16 at 11:37
  • Seeing that you would not have been able to solve your problem without my help, an upvote would be greatly appreciated (especially considering that I need just 10 more reputation in order to comment on other people's posts). :) – wrieedx Sep 23 '16 at 00:29