Well, that means somehow they were targeted with those updates. You don't need to use SUGs to target an update, they can be done individually. You may be able to find a report that gives you some details but logs would be the primary source of info.
Another theory would have been WSUS being used outside SCCM but would not show up in system center app. Maybe they were made available and removed after. You can check audit message in monitoring. Cesar A On May 26, 2015 7:03 AM, "Gushue, William" <[email protected]> wrote: > I don’t believe anyone else triggered it. I am more concerned about the > fact that they were targeted in the first place. As these servers were in > no collection that had a Software Update Group targeted to them it, I would > assume that even if they did check for updates against SCCM they would have > seen that nothing was “approved” for the servers and had done nothing. But > they did show up in Software Center (that is how the admins knew it was > happening) and they did reboot (some were being monitored at the time and > some weren’t). > > > > Never thought to use Maintenance Windows in that fashion – something to > think about. Thanks. > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Mote, Todd > *Sent:* Tuesday, May 26, 2015 9:28 AM > *To:* [email protected] > *Subject:* [mssms] RE: Software Updates Applied to Servers Without > Approval > > > > Both can be active at the same time, so sure, they could show up in > Software Center and then get installed by Automatic Updates. Equal > opportunity, first come first serve. J I have a group policy that > specifically turns off Automatic Updates, that I apply to my SCCM clients > that use Software Updates to patch. > > > > Also, make liberal use of Maintenance Windows when patching servers. > Maintenance Windows will make sure you don’t have to worry about SCCM doing > anything until the time you set the maintenance window for. That way it’s > easy to rule out SCCM as a culprit. And you have the flexibility of > setting a window to expire in the past and never having SCCM do anything. > > > > Another thing that bites folks, usually just once, is UTC. Some one way > or another the deployment gets set to happen at UTC rather than local time > and it can seem as though SCCM randomly did something, when in reality, > over in Greenwich, it was exactly the time it was told to do whatever it > was told to do. > > > > Another possibility... Are you the only one that could initiate > installs? Is there another administrator that might have started things > via Software Center? > > > > Todd > > > > *From:* [email protected] [ > mailto:[email protected] <[email protected]>] *On > Behalf Of *Gushue, William > *Sent:* Tuesday, May 26, 2015 8:10 AM > *To:* [email protected] > *Subject:* [mssms] RE: Software Updates Applied to Servers Without > Approval > > > > Another question, though: If they are installed via AU, would this > information still show up in Software Center? The notifications were > displayed in Software Center and it was Software Center that actually > performed the reboot (Event Viewer shows Ccmexec performing the reboot). > > > > *From:* [email protected] [ > mailto:[email protected] <[email protected]>] *On > Behalf Of *Mote, Todd > *Sent:* Monday, May 25, 2015 9:06 PM > *To:* myITforum SMS List ([email protected]) > *Subject:* [mssms] RE: Software Updates Applied to Servers Without > Approval > > > > UX usually means ‘user experience’, but you’ve got some other key words in > there like, ‘AU’ and ‘interactive’. Do these servers have Automatic > Updates Group Policy applied anywhere? > > > > In c:\windows\ccm\logs you should be able to see stuff around the scan in > updatesdeployment.log, scanagent.log, datatransferservice.log, > updateshandler.log, updatesstore.log and wuahandler.log to see all of the > updates. > > > > Also, in windowsupdate.log you should see more stuff like this: > > > > 2015-05-25 19:14:24:752 5272 14f4 > COMAPI -- START -- COMAPI: Search [ClientId = CcmExec] > > 2015-05-25 19:14:24:752 5272 14f4 > COMAPI --------- > > 2015-05-25 19:14:24:753 940 c14 Agent > ************* > > 2015-05-25 19:14:24:753 940 c14 Agent ** > START ** Agent: Finding updates [CallerId = CcmExec] > > 2015-05-25 19:14:24:753 940 c14 Agent > ********* > > 2015-05-25 19:14:24:753 940 c14 Agent * > Include potentially superseded updates > > 2015-05-25 19:14:24:753 940 c14 Agent * > Online = No; Ignore download priority = Yes > > 2015-05-25 19:14:24:753 940 c14 Agent * > Criteria = "((DeploymentAction=* AND Type='Software' AND CategoryIDs > contains '84F5F325-30D7-41C4-81D1-87A0E6535B66') OR (DeploymentAction=* AND > Type='Software' AND CategoryIDs contains > '704A0A4A-518F-4D69-9E03-10BA44198BD5') OR (DeploymentAction=* AND > Type='Software' AND CategoryIDs contains > '6248B8B1-FFEB-DBD9-887A-2ACF53B09DFE') OR (DeploymentAction=* AND > Type='Software' AND CategoryIDs contains > '1403F223-A63F-F572-82BA-C92391218055') OR (DeploymentAction=* AND > Type='Software' AND CategoryIDs contains > '041E4F9F-3A3D-4F58-8B2F-5E6FE95C4591') OR (DeploymentAction=* AND > Type='Software' AND CategoryIDs contains > 'B54E7D24-7ADD-428F-8B75-90A396FA584F') OR (DeploymentAction=* AND > Type='Software' AND CategoryIDs contains > '0FA1201D-4330-4FA8-8AE9-B877473B6441'))" > > 2015-05-25 19:14:24:753 940 c14 Agent * > ServiceID = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7} Managed > > 2015-05-25 19:14:24:753 940 c14 Agent * > Search Scope = {Machine} > > 2015-05-25 19:14:24:753 940 c14 Agent * > Caller SID for Applicability: S-1-5-18 > > 2015-05-25 19:14:24:758 5272 14f4 > COMAPI <<-- SUBMITTED -- COMAPI: Search [ClientId = CcmExec] > > 2015-05-25 19:14:27:089 940 c14 Agent * > Added update {BDB0E301-5660-4DB8-A396-F3C9C0C10776}.201 to search result > > 2015-05-25 19:14:27:090 940 c14 Agent * > Added update {D391DE02-B9A1-4C5B-B8C1-7ECCA958ACDF}.203 to search result > > 2015-05-25 19:14:27:090 940 c14 Agent * > Added update {92504704-BF09-4CE5-8436-90B6AE8A842A}.201 to search result > > 2015-05-25 19:14:27:090 940 c14 Agent * > Added update {28904808-0DBB-4812-9A9A-7E9977ADE38A}.202 to search result > > 2015-05-25 19:14:27:090 940 c14 Agent * > Added update {09257309-72A1-4622-B9DA-610B9E037E2E}.201 to search result > > 2015-05-25 19:14:27:090 940 c14 Agent * > Added update {C822D00A-FEC3-4B65-8F63-6E6BEA292944}.203 to search result > > > > That 5th column in yours shows ‘AU’ which typically means Auto Update, > and not ‘Agent’ like mine above which should be your sccm client doing > stuff. > > > > Looks to me like they did what they were told, it just wasn’t SCCM. Maybe > WSUS via Group Policy? > > > > Todd > > > > *From:* [email protected] [ > mailto:[email protected] <[email protected]>] *On > Behalf Of *Gushue, William > *Sent:* Monday, May 25, 2015 2:10 PM > *To:* myITforum SMS List ([email protected]) > *Subject:* [mssms] Software Updates Applied to Servers Without Approval > > > > I configured a Software Update Group to deploy to a group of servers this > past weekend. A number of other servers ended up installing the updates. > I have: > > > > 1. Checked the collection (which I have since deleted) to ensure the > correct servers were added. > > 2. Checked the Properties of the servers that received the updates (even > though they shouldn’t have) and there were NO deployments in the > Deployments tab. > > 3. Checked reports and they tell me the updates were required, but there > was no check mark under “Approved” > > 4. Checked for Duplicate GUIDs and there are none that apply. > > 5. Checked the Windows Update log file and see the following: > > “2015-05-25 10:26:07:179 1224 > 5b5c AU AU received approval from UX for 43 updates > > 2015-05-25 10:26:07:179 1224 5b5c AU > AU setting pending client directive to 'Progress Ux' > > 2015-05-25 10:26:07:303 1224 5b5c AU > BeginInteractiveInstall invoked for Download > > 2015-05-25 10:26:07:303 1224 5b5c AU > Auto-approving update for download, updateId = > {0087DF01-B453-4F5E-B5B4-E61911BCF5A8}.200, ApprovalIsForUx=1, > UpdateOwner=UX, HasDeadline=0, IsMinor=0” – which indicates something > approved them, but I am not sure what “UX” means. > > > > Is there anywhere on the client itself where I can see something to the > effect “I am supposed to apply these updates and it’s because I am in this > collection”? I have been using PolicySpy and checking PolicyEvaluator and > PolicyAgent but have yet to come across why these updates got approved for > these systems. I am usually pretty good at tracking down my own mistakes, > but this one has me stumped. > > > > Thanks. > > > ------------------------------ > > > ******************************************************************** > > This e-mail message is privileged, confidential and subject to > copyright. Any unauthorized use or disclosure is prohibited. > > Le contenu du présent courriel est privilégié, confidentiel et > soumis à des droits d'auteur. Il est interdit de l'utiliser ou > de le divulguer sans autorisation. > > ******************************************************************** > > > > > > > > > >
