WSUS Updates Download to Client but do not Install, despite Policy VJ 11/5/2008 7:59:02 PM We have a Policy that sets the updates to install [ at ] 4am every morning well after they synchronize to the WSUS server. The problem is most of the clients are reporting they have downloaded the updates but have not installed them. Some of the logs mention something that some security updates for office will be installed once the Administrator logs in. It seems that the clients are able to contact and synchronize with the Server and download updates but they do not install them. We have instructed users to reboot their PCs before leaving so that there are no logged on sessions and they are following protocol. Not sure what else to look for. I've recently setup a new client to test the synchronization and will update with results.

RE: WSUS Updates Download to Client but do not Install, despite Policy VJ 11/5/2008 8:09:01 PM 2008-10-20 18:14:00:014 1392 52c Report REPORT EVENT: {B3B979B3-C9D9-4466-BE82-7657F23E2B98} 2008-10-20 18:13:59:998-0700 1 189 102 {00000000-0000-0000-0000-000000000000} 0 0 AutomaticUpdates Success Content Install Installation Ready: The following updates are downloaded and ready for installation. To install the updates, an administrator should log on to this computer and Windows will prompt with further instructions: - Security Update for Windows XP (KB954154) - Security Update for Windows XP (KB938464) - Security Update for Access Snapshot Viewer 2003 (KB955439) - Security Update for Microsoft Office 2003 (KB921598) - Security Update for 2007 Microsoft Office System (KB955936) - Security Update for Microsoft Office 2003 (KB953404) - Security Update for Windows XP (KB956841) - Security Update for 2007 Microsoft Office System (KB954038) - Security Update for Windows XP (KB954211) "VJ" wrote: [Quoted Text] > We have a Policy that sets the updates to install [ at ] 4am every morning well > after they synchronize to the WSUS server. The problem is most of the > clients are reporting they have downloaded the updates but have not installed > them. Some of the logs mention something that some security updates for > office will be installed once the Administrator logs in. It seems that the > clients are able to contact and synchronize with the Server and download > updates but they do not install them. We have instructed users to reboot > their PCs before leaving so that there are no logged on sessions and they are > following protocol. Not sure what else to look for. I've recently setup a > new client to test the synchronization and will update with results.

RE: WSUS Updates Download to Client but do not Install, despite Po VJ 11/5/2008 8:50:11 PM I have recently imaged a test machine and added it to the domain here is the result of the log: 2008-11-05 12:18:12:537 1796 fb4 AU AU setting pending client directive to 'Install Approval' 2008-11-05 12:18:12:537 1796 fac Report REPORT EVENT: {AC6828BC-FA3A-485F-9498-0F843F620177} 2008-11-05 12:18:07:970-0800 1 189 102 {00000000-0000-0000-0000-000000000000} 0 0 AutomaticUpdates Success Content Install Installation Ready: The following updates are downloaded and ready for installation. To install the updates, an administrator should log on to this computer and Windows will prompt with further instructions: - Security Update for Windows XP (KB954154) - Security Update for Windows XP (KB958644) - Update for Windows XP (KB932823) - Security Update for Windows XP (KB938464) - Security Update for Windows XP (KB950749) - Security Update for Windows XP (KB951748) - Security Update for Windows XP (KB945553) - Security Update for Microsoft Office 2003 (KB921598) - Security Update for Microsoft Office PowerPoint 2003 (KB948988) - Update for Microsoft Office Outlook 2003 Junk Email Filter (KB957257) - Security Update for Outlook Express for Windows XP (KB951066) - Security Update for Windows XP (KB948590) - Cumulative Security Update for ActiveX Killbits for Windows XP (KB950760) - Update for Windows XP (KB952287) - Security Update for Windows XP (KB950762) - Security Update for Microsoft Office 2003 (KB953404) - Security Update for Microsoft Office Publisher 2003 (KB950213) - Security Update for Windows XP (KB956841) - Security Update for Windows XP (KB954211) - Security Update for Windows XP (K 2008-11-05 12:18:12:537 1796 fac Report REPORT EVENT: {54BA613F-A161-4EA1-81A8-475784D3DFF9} 2008-11-05 12:18:07:970-0800 1 162 101 {41D1F3CB-6ABF-4AF8-BBB2-FD19E6501524} 102 0 AutomaticUpdates Success Content Download Download succeeded. 2008-11-05 12:18:12:537 1796 fac Report REPORT EVENT: {4D616DC2-C2CA-4393-9FA3-6414FDE001C3} 2008-11-05 12:18:12:537-0800 1 189 102 {00000000-0000-0000-0000-000000000000} 0 0 AutomaticUpdates Success Content Install Installation Ready: The following updates are downloaded and ready for installation. To install the updates, an administrator should log on to this computer and Windows will prompt with further instructions: - Security Update for Windows XP (KB954154) - Security Update for Windows XP (KB958644) - Update for Windows XP (KB932823) - Security Update for Windows XP (KB938464) - Security Update for Windows XP (KB950749) - Security Update for Windows XP (KB951748) - Security Update for Windows XP (KB945553) - Security Update for Microsoft Office 2003 (KB921598) - Security Update for Microsoft Office PowerPoint 2003 (KB948988) - Update for Microsoft Office Outlook 2003 Junk Email Filter (KB957257) - Security Update for Outlook Express for Windows XP (KB951066) - Security Update for Windows XP (KB948590) - Cumulative Security Update for ActiveX Killbits for Windows XP (KB950760) - Update for Windows XP (KB952287) - Security Update for Windows XP (KB950762) - Security Update for Microsoft Office 2003 (KB953404) - Security Update for Microsoft Office Publisher 2003 (KB950213) - Security Update for Windows XP (KB956841) - Security Update for Windows XP (KB954211) - Security Update for Windows XP (K 2008-11-05 12:18:13:839 1796 fac PT WARNING: RegisterComputer failure, error = 0x8024400E, soap client error = 7, soap error code = 400, HTTP status code = 200 2008-11-05 12:18:13:839 1796 fac PT WARNING: SOAP Fault: 0x000190 2008-11-05 12:18:13:839 1796 fac PT WARNING: faultstring:Fault occurred 2008-11-05 12:18:13:839 1796 fac PT WARNING: ErrorCode:InternalServerError(5) 2008-11-05 12:18:13:839 1796 fac PT WARNING: Message:(null) 2008-11-05 12:18:13:839 1796 fac PT WARNING: Method:"http://www.microsoft.com/SoftwareDistribution/Server/ClientWebService/RegisterComputer" 2008-11-05 12:18:13:839 1796 fac PT WARNING: ID:de051ebe-8b1a-4e0c-ab5a-855abdacd15f 2008-11-05 12:18:13:839 1796 fac PT WARNING: PTError: 0x8024400e 2008-11-05 12:18:13:839 1796 fac PT WARNING: ClientWebService->RegisterComputer failed, hr=0x8024400e, Not Fatal 2008-11-05 12:18:13:839 1796 fac Report Uploading 30 even It looks like it contacted the server, downloaded the updates but did not install them. Before I try a script to stop services, re-register wsus registry settings, remove software dist and catroot2 files, silently install the KB927891 patch, silently reinstall the most up to date client WU client version 7.0.6000.381 to WU client version 7.2.6001.788, restart the services, gpupdate /force and run wuauclt.exe /resetauthorization /detectnow. Here is the Script: [ at ]ECHO OFF & ECHO. IF NOT EXIST fixlist.txt GOTO :POOP IF /I "%1" EQU "X86" GOTO :DO_IT IF /I "%1" EQU "X64" GOTO :DO_IT IF /I "%1" EQU "mixed" GOTO :DO_IT GOTO :NOOP :DO_IT CALL :BUILD_REG_FILE FOR /F "tokens=1,2" %%a IN (fixlist.txt) DO CALL :PROCESS %%a %%b %1 GOTO :END :BUILD_REG_FILE ECHO Windows Registry Editor Version 5.00> %TEMP%\FIXWSUS.REG ECHO.>> %TEMP%\FIXWSUS.REG ECHO [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]>> %TEMP%\FIXWSUS.REG ECHO "AccountDomainSid"=->> %TEMP%\FIXWSUS.REG ECHO "PingID"=->> %TEMP%\FIXWSUS.REG ECHO "SusClientId"=->> %TEMP%\FIXWSUS.REG GOTO :END :PROCESS ECHO Attempting to fix \\%1: ECHO - Stopping Automatic Updates service.. & START /MIN /WAIT PSEXEC.EXE \\%1 CMD /C NET STOP "Automatic Updates" /Y ECHO - Stopping BITS.. & START /MIN /WAIT PSEXEC.EXE \\%1 CMD /C NET STOP "Background Intelligent Transfer Service" /Y ECHO - Stopping Cryptographic Services & START /MIN /WAIT PSEXEC.EXE \\%1 CMD /C NET STOP "Cryptographic Services" ECHO -Importing registry settings.. & START /MIN /WAIT CMD /C COPY %TEMP%\FIXWSUS.REG \\%1\C$\FIXWSUS.REG START /MIN /WAIT PSEXEC.EXE \\%1 CMD /C REGEDIT /S C:\FIXWSUS.REG START /MIN /WAIT CMD /C IF EXIST \\%1\C$\FIXWSUS.REG DEL \\%1\C$\FIXWSUS.REG ECHO - Re-registering Windows Update components.. & START /MIN /WAIT PSEXEC.EXE \\%1 CMD /C REGSVR32 /s /u WUAPI.DLL & REGSVR32 /s WUAPI.DLL START /MIN /WAIT PSEXEC.EXE \\%1 CMD /C REGSVR32 /s /u WUAUENG.DLL & REGSVR32 /s WUAUENG.DLL START /MIN /WAIT PSEXEC.EXE \\%1 CMD /C REGSVR32 /s /u WUAUENG1.DLL & REGSVR32 /s WUAUENG1.DLL START /MIN /WAIT PSEXEC.EXE \\%1 CMD /C REGSVR32 /s /u ATL.DLL & REGSVR32 /s ATL.DLL START /MIN /WAIT PSEXEC.EXE \\%1 CMD /C REGSVR32 /s /u WUCLTUI.DLL & REGSVR32 /s WUCLTUI.DLL START /MIN /WAIT PSEXEC.EXE \\%1 CMD /C REGSVR32 /s /u WUPS.DLL & REGSVR32 /s WUPS.DLL START /MIN /WAIT PSEXEC.EXE \\%1 CMD /C REGSVR32 /s /u WUPS2.DLL & REGSVR32 /s WUPS2.DLL START /MIN /WAIT PSEXEC.EXE \\%1 CMD /C REGSVR32 /s /u WUWEB.DLL & REGSVR32 /s WUWEB.DLL ECHO - Flushing SoftwareDistribution folder.. & START /MIN /WAIT PSEXEC.EXE \\%1 CMD /C RMDIR /S /Q ^%WINDIR^%\SoftwareDistribution ECHO - Deleting WindowsUpdate.log & START /MIN /WAIT PSEXEC.EXE \\%1 CMD /C DEL /f /s /q ^%windir^%\windowsupdate.log ECHO - Renaming Security Catalog Folder & START /MIN /WAIT PSEXEC.EXE \\%1 CMD /C DEL /f /s /q ^%windir^%\System32\Catroot2\*.* IF EXIST WindowsUpdateAgent30-%2.exe ECHO - Installing %2 Windows Update Agent 3.0.. & ( START /MIN /WAIT PSEXEC.EXE -c \\%1 WindowsUpdateAgent30-%2.exe /norestart /quiet /wuforce ) ELSE (ECHO * MISSING %2 Windows Update Agent 3.0 patch..) IF EXIST *WindowsXP-KB927891-v?-%2-ENU.exe ECHO - Installing %2 KB927891.. & ( IF /I "%2" EQU "X86" START /MIN /WAIT PSEXEC.EXE -c \\%1 WindowsXP-KB927891-v3-x86-ENU.exe /norestart /quiet IF /I "%2" EQU "X64" START /MIN /WAIT PSEXEC.EXE -c \\%1 WindowsServer2003.WindowsXP-KB927891-v5-x64-ENU.exe /norestart /quiet ) ELSE (ECHO * MISSING %2 KB927891 patch..) ECHO - Starting Cryptographic Services.. & START /MIN /WAIT PSEXEC.EXE \\%1 CMD /C NET START "Cryptographic Services" /Y ECHO - Starting BITS.. & START /MIN /WAIT PSEXEC.EXE \\%1 CMD /C NET START "Background Intelligent Transfer Service" /Y ECHO - Starting Automatic Updates service.. & START /MIN /WAIT PSEXEC.EXE \\%1 CMD /C NET START "Automatic Updates" /Y ECHO - Forcing Group Policy Update... & START /MIN /WAIT PSEXEC.EXE \\%1 CMD /C GPUPDATE /force ECHO - Starting Windows Update Automatic Update Client.. & START /MIN /WAIT PSEXEC.EXE \\%1 CMD /C wuauclt.exe /resetauthorization /detectnow GOTO :END :POOP ECHO ERROR: fixlist.txt computer name list not found. ECHO. GOTO :END :NOOP ECHO ERROR: x86 (32-bit) or x64 (64-bit) client patches not specified. ECHO. ECHO One (1) command-line parameter *must* be passed in order for this script to ECHO function. Please use the following syntax: ECHO. ECHO FIXWSUS [x86, x64, OR mixed] ECHO. :END

Re: WSUS Updates Download to Client but do not Install, despite Policy "Lawrence Garvin \(MVP\)" <lawrence[ at ]news.postalias> 11/5/2008 9:04:55 PM "VJ" <VJ[ at ]discussions.microsoft.com> wrote in message news:7D695959-7F66-4C67-8B9A-B3BDFF3F57ED[ at ]microsoft.com... [Quoted Text] > We have a Policy that sets the updates to install [ at ] 4am every morning well > after they synchronize to the WSUS server. The problem is most of the > clients are reporting they have downloaded the updates but have not > installed > them. Part of this can be misunderstanding the entire end-to-end process of WSUS update deployment. The end-to-end process is such: [1] The WSUS Server synchronizes at specified time(s) throughout the day, plus/minus a small offset to ensure servers on the same sync schedule are not synchronizing simultaneously. [2] The WSUS =clients= synchronize (detect/report) at random times throughout the day. By default this is every 22 hours (minus a random offset of 1-20%), effectively creating a rolling synchronization schedule for clients intended to ensure that the client load is evenly spread out around the clock. [3] The WSUS clients download, using BITS. BITS is a background, bandwidth-throttled service to download files based on *available/unused* bandwidth. The availability of this bandwidth is measured at each client's LAN interface, and is dependent on the utilization of that specific interface. On a client connected via switch, this would be based on the client's actual utilization of the switched bandwidth; however, on a client connected via HUB, this would be bsaed on the segment's shared bandwidth utilization, and in a highly utilized hub-based segment, could result in extremly low throughput for a particular client. [3] The WSUS clients =install= at a specified time, once-per-week, or once-per-day, by default this is "EveryDay-3am". In order for this installation to happen, the update must have been fully downloaded (and scheduled) prior to the actual scheduled installation time. Thus, it's quite common that what you've experienced is that a client executed a normal detection at 2am, initiated downloads, but the download did not complete prior to 3am, thus missing the scheduled installation. > Some of the logs mention something that some security updates for > office will be installed once the Administrator logs in. Another reason this might happen is that you *intend* for the client to be configured with AUOptions='4' and a Scheduled Install time of EveryDay-3am, but the policy has not properly applied, or the policy has been misconfigured, or there are multiple police objects with conflicting configurations -- and the client is actually configured with AUOptions='3', which prevents an automated scheduled installation. Or, if the client is still pending a reboot from a previous update installation, ALL subsequent installations will be scheduled as "administrator-required" activities, rather than scheduled at the regular installation time. In this case the "administrator-required" activity is to reboot the system, so that subsequent update installations can be performed/scheduled. I've also seen installations missed, with great wonderment by admins, because the PCs were powered off. Contrary to great fantasy-based desires, the client system must be powered on in order to install updates at the scheduled time. I presume this is not the case with your situation, but since you are instructing your users to "reboot... before leaving", you should ensure that they're not actually shutting the systems down, or that something is interfering with the 'reboot' causing to hang in a 'shutting-down' status. Personally, I would teach the users how to =LOGOFF= the system, which will accomplish the same desired results AND ensure that the system remains powered on for necessary maintenance activities. > Not sure what else to look for. > I've recently setup a new client to test the synchronization and will > update with results. All details surrounding the entire state of the client, and activites occuring during the scheduled installation event are captured in the %windir%\WindowsUpdate.log. I would suggest a thorough review of the WindowsUpdate.log from a selected client displaying this behavior. Post the most recent detect and installation event entries if you'd like assistance interpreting the log entries. -- Lawrence Garvin, M.S., MCITP(x2), MCTS(x5), MCP(x7), MCBMSP Principal/CTO, Onsite Technology Solutions, Houston, Texas Microsoft MVP - Software Distribution (2005-2009) MS WSUS Website: http://www.microsoft.com/wsus My Websites: http://www.onsitechsolutions.com; http://wsusinfo.onsitechsolutions.com My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin

Re: WSUS Updates Download to Client but do not Install, despite Po "Lawrence Garvin \(MVP\)" <lawrence[ at ]news.postalias> 11/5/2008 9:11:52 PM "VJ" <VJ[ at ]discussions.microsoft.com> wrote in message news:9838CCD7-3B88-49FE-B703-F6F01BEBF936[ at ]microsoft.com... [Quoted Text] > It looks like it contacted the server, downloaded the updates but did not > install them. What would be useful here is to see the log entries from the scheduled installation event at 3am, as well as the log entries from service startup (or the actual registry values configured at HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate). > Before I try a script to stop services, re-register wsus > registry settings, remove software dist and catroot2 files, silently > install > the KB927891 patch, silently reinstall the most up to date client WU > client > version 7.0.6000.381 to WU client version 7.2.6001.788, restart the > services, > gpupdate /force and run wuauclt.exe /resetauthorization /detectnow. None of which is a recommended practice until we identify the =CAUSE= for your observed behavior. Yet another "throw mud at the wall script" because ONE of the statements below MIGHT actually fix something in some previous installation that exhibited behavior that could have been surgically fixed by merely executing ONE of the statements contained in the below script. My suggestion: Throw this script away, and let's diagnose the problem first. The script, btw, convoluted that it is, is designed to delete unnecessary registry keys from a WSUS client, when the clients have been improperly cloned, and thus have duplicate SusClientID values. At this point there is insufficient evidence to indicate that this is your issue (the more likely cause at this point being either a simple misunderstanding of expected behavior, or a misconfiguration of the actual policy being applied). In fact, if it were your issue, we wouldn't be talking about updates not installing -- we'd be talking about updates not *reporting* correctly. -- Lawrence Garvin, M.S., MCITP(x2), MCTS(x5), MCP(x7), MCBMSP Principal/CTO, Onsite Technology Solutions, Houston, Texas Microsoft MVP - Software Distribution (2005-2009) MS WSUS Website: http://www.microsoft.com/wsus My Websites: http://www.onsitechsolutions.com; http://wsusinfo.onsitechsolutions.com My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin

Re: WSUS Updates Download to Client but do not Install, despite Po VJ 11/5/2008 10:28:00 PM Thank You Lawrence and belated apologies for the SPAM. I'll observe the machine and check tomorrow to see that the downloaded updates are installed. In the meantime I am seeing these errors on several machine logs: WARNING: AU found no suitable session to launch client in "Lawrence Garvin (MVP)" wrote: [Quoted Text] > "VJ" <VJ[ at ]discussions.microsoft.com> wrote in message > news:7D695959-7F66-4C67-8B9A-B3BDFF3F57ED[ at ]microsoft.com... > > We have a Policy that sets the updates to install [ at ] 4am every morning well > > after they synchronize to the WSUS server. The problem is most of the > > clients are reporting they have downloaded the updates but have not > > installed > > them. > > Part of this can be misunderstanding the entire end-to-end process of WSUS > update deployment. > > The end-to-end process is such: > > [1] The WSUS Server synchronizes at specified time(s) throughout the day, > plus/minus a small offset to ensure servers on the same sync schedule are > not synchronizing simultaneously. > > [2] The WSUS =clients= synchronize (detect/report) at random times > throughout the day. By default this is every 22 hours (minus a random offset > of 1-20%), effectively creating a rolling synchronization schedule for > clients intended to ensure that the client load is evenly spread out around > the clock. > > [3] The WSUS clients download, using BITS. BITS is a background, > bandwidth-throttled service to download files based on *available/unused* > bandwidth. The availability of this bandwidth is measured at each client's > LAN interface, and is dependent on the utilization of that specific > interface. On a client connected via switch, this would be based on the > client's actual utilization of the switched bandwidth; however, on a client > connected via HUB, this would be bsaed on the segment's shared bandwidth > utilization, and in a highly utilized hub-based segment, could result in > extremly low throughput for a particular client. > > [3] The WSUS clients =install= at a specified time, once-per-week, or > once-per-day, by default this is "EveryDay-3am". In order for this > installation to happen, the update must have been fully downloaded (and > scheduled) prior to the actual scheduled installation time. Thus, it's quite > common that what you've experienced is that a client executed a normal > detection at 2am, initiated downloads, but the download did not complete > prior to 3am, thus missing the scheduled installation. > > > Some of the logs mention something that some security updates for > > office will be installed once the Administrator logs in. > > Another reason this might happen is that you *intend* for the client to be > configured with AUOptions='4' and a Scheduled Install time of EveryDay-3am, > but the policy has not properly applied, or the policy has been > misconfigured, or there are multiple police objects with conflicting > configurations -- and the client is actually configured with AUOptions='3', > which prevents an automated scheduled installation. > > Or, if the client is still pending a reboot from a previous update > installation, ALL subsequent installations will be scheduled as > "administrator-required" activities, rather than scheduled at the regular > installation time. In this case the "administrator-required" activity is to > reboot the system, so that subsequent update installations can be > performed/scheduled. > > I've also seen installations missed, with great wonderment by admins, > because the PCs were powered off. Contrary to great fantasy-based desires, > the client system must be powered on in order to install updates at the > scheduled time. I presume this is not the case with your situation, but > since you are instructing your users to "reboot... before leaving", you > should ensure that they're not actually shutting the systems down, or that > something is interfering with the 'reboot' causing to hang in a > 'shutting-down' status. > > Personally, I would teach the users how to =LOGOFF= the system, which will > accomplish the same desired results AND ensure that the system remains > powered on for necessary maintenance activities. > > > > Not sure what else to look for. > > I've recently setup a new client to test the synchronization and will > > update with results. > > All details surrounding the entire state of the client, and activites > occuring during the scheduled installation event are captured in the > %windir%\WindowsUpdate.log. I would suggest a thorough review of the > WindowsUpdate.log from a selected client displaying this behavior. Post the > most recent detect and installation event entries if you'd like assistance > interpreting the log entries. > > > > > -- > Lawrence Garvin, M.S., MCITP(x2), MCTS(x5), MCP(x7), MCBMSP > Principal/CTO, Onsite Technology Solutions, Houston, Texas > Microsoft MVP - Software Distribution (2005-2009) > > MS WSUS Website: http://www.microsoft.com/wsus > My Websites: http://www.onsitechsolutions.com; > http://wsusinfo.onsitechsolutions.com > My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin > >

Re: WSUS Updates Download to Client but do not Install, despite Po VJ 11/5/2008 10:37:01 PM Also, here is what the client sees for the policy. Also, Pre-Install Notify does not mean that the end user will be notified before Install I hope. 2008-11-05 07:40:39:430 1400 2dc AU ########### AU: Initializing Automatic Updates ########### 2008-11-05 07:40:39:430 1400 2dc AU AU setting next detection timeout to 2008-11-05 15:40:39 2008-11-05 07:40:39:446 1400 2dc AU # WSUS server: http://pokemon-sea2:8530 2008-11-05 07:40:39:446 1400 2dc AU # Detection frequency: 4 2008-11-05 07:40:39:446 1400 2dc AU # Target group: workstations 2008-11-05 07:40:39:446 1400 2dc AU # Approval type: Pre-install notify (Policy) 2008-11-05 07:40:39:446 1400 2dc AU # Auto-install minor updates: No (Policy) 2008-11-05 07:40:39:461 1400 2dc AU AU finished delayed initialization

Re: WSUS Updates Download to Client but do not Install, despite Po "Lawrence Garvin \(MVP\)" <lawrence[ at ]news.postalias> 11/6/2008 2:15:14 AM "VJ" <VJ[ at ]discussions.microsoft.com> wrote in message news:342E40E1-EAAE-461A-B7BC-D6A891F4AC38[ at ]microsoft.com... [Quoted Text] > Thank You Lawrence and belated apologies for the SPAM. I'll observe the > machine and check tomorrow to see that the downloaded updates are > installed. > In the meantime I am seeing these errors on several machine logs: > > WARNING: AU found no suitable session to launch client in These are normal messages and simply mean that an administrator-level login was not active on the system's console at the logged time. It's the attempt to raise a notification in the Notification Bar that can only succeed when an authorized user is logged on. -- Lawrence Garvin, M.S., MCITP(x2), MCTS(x5), MCP(x7), MCBMSP Principal/CTO, Onsite Technology Solutions, Houston, Texas Microsoft MVP - Software Distribution (2005-2009) MS WSUS Website: http://www.microsoft.com/wsus My Websites: http://www.onsitechsolutions.com; http://wsusinfo.onsitechsolutions.com My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin

Re: WSUS Updates Download to Client but do not Install, despite Po "Lawrence Garvin \(MVP\)" <lawrence[ at ]news.postalias> 11/6/2008 2:21:10 AM "VJ" <VJ[ at ]discussions.microsoft.com> wrote in message news:0D2A9AF6-9DAC-4A3F-B64F-12139BB2C629[ at ]microsoft.com... [Quoted Text] > Also, here is what the client sees for the policy. Also, Pre-Install > Notify > does not mean that the end user will be notified before Install I hope. > 2008-11-05 07:40:39:446 1400 2dc AU # Approval type: Pre-install notify > (Policy) "Pre-install notify (Policy)" means this machine has AUOptions=3 set by policy and the only way updates will be installed is if an admin user initiates the installation from the UI. If the policy had AUOptions=4, the log entry would be: Approval type: Scheduled (Policy) Either you have conflicting policies being applied, or the policy you intend to be applied to this system -- isn't. And, still, you have the AUOptions=3 coming from somewhere, because that's not the installation default. -- Lawrence Garvin, M.S., MCITP(x2), MCTS(x5), MCP(x7), MCBMSP Principal/CTO, Onsite Technology Solutions, Houston, Texas Microsoft MVP - Software Distribution (2005-2009) MS WSUS Website: http://www.microsoft.com/wsus My Websites: http://www.onsitechsolutions.com; http://wsusinfo.onsitechsolutions.com My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin

Re: WSUS Updates Download to Client but do not Install, despite Po VJ 11/6/2008 4:19:01 PM Here is the Auto -Update Policy for the workstations ou. Policy Setting Allow Automatic Updates immediate installation Disabled Automatic Updates detection frequency Enabled Check for updates at the following interval (hours): 4 Policy Setting Configure Automatic Updates Enabled Configure automatic updating: 4 - Auto download and schedule the install The following settings are only required and applicable if 4 is selected. Scheduled install day: 0 - Every day Scheduled install time: 04:00 Policy Setting Delay Restart for scheduled installations Disabled Do not adjust default option to 'Install Updates and Shut Down' in Shut Down Windows dialog box Enabled Do not display 'Install Updates and Shut Down' option in Shut Down Windows dialog box Enabled Enable client-side targeting Enabled Target group name for this computer workstations Policy Setting No auto-restart for scheduled Automatic Updates installations Disabled Specify intranet Microsoft update service location Enabled Set the intranet update service for detecting updates: http://zzzz:8530 Set the intranet statistics server: http://zzzz:8530 (example: http://IntranetUpd01) But, I also found a Windows Update Specified in the Default Domain Policy. Windows Components/Windows Update Policy Setting Configure Automatic Updates Enabled Configure automatic updating: 3 - Auto download and notify for install The following settings are only required and applicable if 4 is selected. Scheduled install day: 0 - Every day Scheduled install time: 03:00 Policy Setting Do not adjust default option to 'Install Updates and Shut Down' in Shut Down Windows dialog box Enabled Do not display 'Install Updates and Shut Down' option in Shut Down Windows dialog box Enabled Enable client-side targeting Enabled Target group name for this computer workstations Policy Setting No auto-restart for scheduled Automatic Updates installations Enabled Reschedule Automatic Updates scheduled installations Disabled Specify intranet Microsoft update service location Enabled Set the intranet update service for detecting updates: http://zzzz:8530 Set the intranet statistics server: http://zzzz:8530 (example: http://IntranetUpd01) Is there a conflict here? Thanks, Vijay "Lawrence Garvin (MVP)" wrote: [Quoted Text] > "VJ" <VJ[ at ]discussions.microsoft.com> wrote in message > news:0D2A9AF6-9DAC-4A3F-B64F-12139BB2C629[ at ]microsoft.com... > > Also, here is what the client sees for the policy. Also, Pre-Install > > Notify > > does not mean that the end user will be notified before Install I hope. > > > 2008-11-05 07:40:39:446 1400 2dc AU # Approval type: Pre-install notify > > (Policy) > > "Pre-install notify (Policy)" means this machine has AUOptions=3 set by > policy > and the only way updates will be installed is if an admin user initiates the > installation from the UI. > > If the policy had AUOptions=4, the log entry would be: > Approval type: Scheduled (Policy) > > Either you have conflicting policies being applied, > or the policy you intend to be applied to this system -- isn't. > > And, still, you have the AUOptions=3 coming from somewhere, > because that's not the installation default. > > -- > Lawrence Garvin, M.S., MCITP(x2), MCTS(x5), MCP(x7), MCBMSP > Principal/CTO, Onsite Technology Solutions, Houston, Texas > Microsoft MVP - Software Distribution (2005-2009) > > MS WSUS Website: http://www.microsoft.com/wsus > My Websites: http://www.onsitechsolutions.com; > http://wsusinfo.onsitechsolutions.com > My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin > >

Re: WSUS Updates Download to Client but do not Install, despite Po "Lawrence Garvin \(MVP\)" <lawrence[ at ]news.postalias> 11/6/2008 7:06:45 PM "VJ" <VJ[ at ]discussions.microsoft.com> wrote in message news:706F9CB3-92F4-42CD-B5DC-59028D634AB0[ at ]microsoft.com... [Quoted Text] > But, I also found a Windows Update Specified in the Default Domain Policy. Ouch! > Configure automatic updating: 3 - Auto download and notify for install There is the cause of your conflict! :-) It is strongly discouraged to modify the "Default Domain Policy" for any reason. However, the =OU= policy should override the policy applied at the domain level; however, this appears to not be happening, so you've actually got one problem masking another. To begin resolution: [1] The Default Domain Policy should not be modified. (I would recommend setting all of these values back to "Not Configured".) [2] For some reason the =OU= policy is *not* being applied correctly, as it's evident that the policy values obtained by the client came from the Default Domain Policy (and were not overridden by a properly applied OU Policy). After updating the Default Domain Policy, and ensuring the DDP has been properly applied (run /gpupdate /force), then you'll need to diagnose why the OU policy is not being applied. -- Lawrence Garvin, M.S., MCITP(x2), MCTS(x5), MCP(x7), MCBMSP Principal/CTO, Onsite Technology Solutions, Houston, Texas Microsoft MVP - Software Distribution (2005-2009) MS WSUS Website: http://www.microsoft.com/wsus My Websites: http://www.onsitechsolutions.com; http://wsusinfo.onsitechsolutions.com My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin