I also have all of my clients in Unassigned Computers in the WSUS instance
installed for ConfigMgr. Might be better to send on your windowsupdate.log,
but do you have sections that look like this? This is an update install
actually happening.
2015-05-27 05:17:21:410 644 11a8 COMAPI
-- START -- COMAPI: Install [ClientId = CcmExec]
2015-05-27 05:17:21:410 644 11a8 COMAPI
---------
2015-05-27 05:17:21:410 644 11a8 COMAPI
- Allow source prompts: No; Forced: No; Force quiet: Yes; Attempt close apps
if necessary: No
2015-05-27 05:17:21:410 644 11a8 COMAPI
- Updates in request: 1
2015-05-27 05:17:21:410 644 11a8 COMAPI
- ServiceID = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7} Managed
2015-05-27 05:17:21:363 848 3e4 DnldMgr
*********** DnldMgr: Copy update to cache [UpdateId =
{0D96A552-E777-4215-BE78-45B87B5A52E3}.200] ***********
2015-05-27 05:17:21:363 848 3e4 DnldMgr
No locked revisions found for update 0D96A552-E777-4215-BE78-45B87B5A52E3;
locking the user-specified revision.
2015-05-27 05:17:21:394 848 3e4 Misc
Validating signature for
C:\WINDOWS\SoftwareDistribution\Download\4d47ff5ae94177975e1840735ea74ad2decd2d6d
with dwProvFlags 0x00000080:
2015-05-27 05:17:21:394 848 3e4 Misc
Microsoft signed: Yes
2015-05-27 05:17:21:410 848 3e4 IdleTmr WU
operation (CInstallCall::Init ID 4) started; operation # 66; does not use
network; is not at background priority
2015-05-27 05:17:21:410 848 3e4 IdleTmr
Incremented idle timer priority operation counter to 1
2015-05-27 05:17:21:410 848 3e4 Agent
Beginning install of conventional work item
2015-05-27 05:17:21:410 644 11a8 COMAPI
- Updates to install = 1
2015-05-27 05:17:21:410 644 11a8 COMAPI
<<-- SUBMITTED -- COMAPI: Install [ClientId = CcmExec]
2015-05-27 05:17:21:410 848 122c Agent
*************
2015-05-27 05:17:21:410 848 122c Agent ** START
** Agent: Installing updates [CallerId = CcmExec]
2015-05-27 05:17:21:410 848 122c Agent *********
2015-05-27 05:17:21:410 848 122c Agent *
Updates to install = 1
2015-05-27 05:17:21:410 848 122c Agent *
Title = Definition Update for Microsoft Endpoint Protection - KB2461484
(Definition 1.199.892.0)
2015-05-27 05:17:21:410 848 122c Agent *
UpdateId = {BEEF0A57-F323-4D1A-AED7-7C28A890734E}.200
2015-05-27 05:17:21:410 848 122c Agent *
Bundles 13 updates:
2015-05-27 05:17:21:410 848 122c Agent *
{9ADE0A01-4B9F-47CF-B81F-F0A3D62BDCC9}.200
2015-05-27 05:17:21:410 848 122c Agent *
{68AF1F14-692F-4C70-8983-7F4AA69093CD}.200
2015-05-27 05:17:21:410 848 122c Agent *
{BB829F61-F190-4CBE-98B8-B3779B27E5A6}.200
2015-05-27 05:17:21:410 848 122c Agent *
{C139785C-6F5F-4E3F-A62D-E807A7C2812F}.200
2015-05-27 05:17:21:410 848 122c Agent *
{6BA5FFEB-9313-48B8-A272-E9BE3B00FB6C}.200
2015-05-27 05:17:21:410 848 122c Agent *
{8A043CF2-9681-47DE-96B6-9E5A3FD96748}.200
2015-05-27 05:17:21:410 848 122c Agent *
{C943B637-FB9E-4055-B959-3568350EE12E}.200
2015-05-27 05:17:21:410 848 122c Agent *
{76331A49-BE93-499F-91A9-5CBD255ED8F5}.200
2015-05-27 05:17:21:410 848 122c Agent *
{011D3F61-E94F-4D5B-B43C-227D4BB44088}.200
2015-05-27 05:17:21:410 848 122c Agent *
{78CCC441-D2CA-4B27-B607-9D8EBD0853A0}.200
2015-05-27 05:17:21:410 848 122c Agent *
{B63F964B-DC1E-42C4-8C44-87FD02B66FC7}.200
2015-05-27 05:17:21:410 848 122c Agent *
{84AC7BA6-71CF-4EAC-9939-76AE3A288220}.200
2015-05-27 05:17:21:410 848 122c Agent *
{0D96A552-E777-4215-BE78-45B87B5A52E3}.200
2015-05-27 05:17:21:441 848 122c DnldMgr
Preparing update for install, updateId =
{0D96A552-E777-4215-BE78-45B87B5A52E3}.200.
2015-05-27 05:17:21:441 848 122c DnldMgr
ExtractUpdateFiles: 0x00000000
2015-05-27 05:17:21:441 3400 e1c Misc
=========== Logging initialized (build: 7.9.9600.17729, tz: -0500) ===========
2015-05-27 05:17:21:441 3400 e1c Misc =
Process: C:\WINDOWS\system32\wuauclt.exe
2015-05-27 05:17:21:441 3400 e1c Misc =
Module: C:\WINDOWS\SYSTEM32\wuaueng.dll
2015-05-27 05:17:21:441 3400 e1c Handler
:::::::::::::
2015-05-27 05:17:21:441 3400 e1c Handler
:: START :: Handler: Command Line Install
2015-05-27 05:17:21:441 3400 e1c Handler
:::::::::
2015-05-27 05:17:21:441 3400 e1c Handler
: Updates to install = 1
2015-05-27 05:17:22:879 848 afc Report REPORT
EVENT: {DFDB009B-F1CE-40B2-A670-67704E31E67A} 2015-05-27
05:17:17:878-0500 1 147 [AGENT_DETECTION_FINISHED] 101
{00000000-0000-0000-0000-000000000000} 0 0
CcmExec Success Software Synchronization Windows
Update Client successfully detected 2 updates.
2015-05-27 05:17:22:879 848 afc Report REPORT
EVENT: {87FD7541-5799-4C16-BBB8-8C129C1347BF} 2015-05-27
05:17:21:410-0500 1 181 [AGENT_INSTALLING_STARTED] 101
{BEEF0A57-F323-4D1A-AED7-7C28A890734E} 200 0
CcmExec Success Content Install Installation Started: Windows has
started installing the following update: Definition Update for Microsoft
Endpoint Protection - KB2461484 (Definition 1.199.892.0)
2015-05-27 05:17:22:879 848 afc Report
CWERReporter finished handling 6 events. (00000000)
2015-05-27 05:17:34:254 3400 e1c Handler
: Command line install completed. Return code = 0x00000000, Result =
Succeeded, Reboot required = false
2015-05-27 05:17:34:254 3400 e1c Handler
:::::::::
2015-05-27 05:17:34:254 3400 e1c Handler
:: END :: Handler: Command Line Install
Also, my scans look like this in windowsupdate.log. it seems to me that the
Windows Update client is still in charge for you.
2015-05-27 05:23:47:746 848 514 Agent ** START
** Agent: Finding updates [CallerId = CcmExec Id = 6]
2015-05-27 05:23:47:746 848 514 Agent *********
2015-05-27 05:23:47:746 848 514 Agent *
Include potentially superseded updates
2015-05-27 05:23:47:746 848 514 Agent *
Online = Yes; Ignore download priority = Yes
2015-05-27 05:23:47:746 848 514 Agent *
Criteria = "(DeploymentAction=* AND Type='Software') OR (DeploymentAction=* AND
Type='Driver')"
2015-05-27 05:23:47:746 848 514 Agent *
ServiceID = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7} Managed
2015-05-27 05:23:47:746 848 514 Agent *
Search Scope = {Machine}
2015-05-27 05:23:47:746 848 514 Agent *
Caller SID for Applicability: S-1-5-18
2015-05-27 05:23:47:746 848 514 Agent *
RegisterService is set
2015-05-27 05:23:47:762 848 514 EP Got
WSUS Client/Server URL: "https://sccm-server/ClientWebService/client.asmx";
2015-05-27 05:23:48:418 848 514 PT
+++++++++++ PT: Synchronizing server updates +++++++++++
2015-05-27 05:23:48:418 848 514 PT +
ServiceId = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}, Server URL =
https://its-sccm-p01.austin.utexas.edu:8531/ClientWebService/client.asmx
2015-05-27 05:23:48:434 848 514 Agent Reading
cached app categories using lifetime 604800 seconds
2015-05-27 05:23:48:434 848 514 Agent Read 0
cached app categories
2015-05-27 05:23:48:434 848 514 Agent
SyncUpdates adding 0 visited app categories
2015-05-27 05:23:50:027 848 514 IdleTmr WU
operation (CAgentProtocolTalker::SyncUpdates_WithRecover) started; operation #
92; does use network; is at background priority
2015-05-27 05:23:50:059 848 514 IdleTmr WU
operation (CAgentProtocolTalker::SyncUpdates_WithRecover, operation # 92)
stopped; does use network; is at background priority
2015-05-27 05:23:50:059 848 514 Agent Reading
cached app categories using lifetime 604800 seconds
2015-05-27 05:23:50:059 848 514 Agent Read 0
cached app categories
2015-05-27 05:23:50:059 848 514 Agent
SyncUpdates adding 0 visited app categories
2015-05-27 05:23:50:074 848 514 IdleTmr WU
operation (CAgentProtocolTalker::SyncUpdates_WithRecover) started; operation #
93; does use network; is at background priority
2015-05-27 05:23:50:090 848 514 IdleTmr WU
operation (CAgentProtocolTalker::SyncUpdates_WithRecover, operation # 93)
stopped; does use network; is at background priority
2015-05-27 05:23:50:090 848 514 PT +
SyncUpdates round trips: 2
2015-05-27 05:23:51:012 848 514 PT
+++++++++++ PT: Synchronizing extended update info +++++++++++
2015-05-27 05:23:51:012 848 514 PT +
ServiceId = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}, Server URL =
https://sccm-server/ClientWebService/client.asmx
2015-05-27 05:23:51:012 848 514 IdleTmr WU
operation (CAgentProtocolTalker::GetExtendedUpdateInfo_WithRecovery) started;
operation # 94; does use network; is at background priority
2015-05-27 05:23:51:027 848 514 IdleTmr WU
operation (CAgentProtocolTalker::GetExtendedUpdateInfo_WithRecovery, operation
# 94) stopped; does use network; is at background priority
2015-05-27 05:23:51:059 848 514 Agent *
Added update {9B29D104-997F-475E-99B1-854C30CB4E88}.201 to search result
2015-05-27 05:23:51:059 848 514 Agent *
Added update {9E059209-E554-4892-BE02-BB13A243020C}.202 to search result
2015-05-27 05:23:51:059 848 514 Agent *
Added update {01A0100C-C3B7-4EC7-866E-DB8C30111E80}.201 to search result
……..
2015-05-27 05:23:51:059 848 514 Agent *
Added update {228676F3-8545-444C-A7E0-4DF7B9C2B4D6}.201 to search result
2015-05-27 05:23:51:059 848 514 Agent *
Added update {E7EECEF3-EADE-4C78-B559-4D8F87A3D6EE}.201 to search result
2015-05-27 05:23:51:059 848 514 Agent *
Added update {1D9D36F4-7888-466B-9563-A633B5DE4841}.200 to search result
2015-05-27 05:23:51:059 848 514 Agent *
Added update {086110F9-6500-4ADA-902D-7861CD2CD90B}.214 to search result
2015-05-27 05:23:51:059 848 514 Agent *
Added update {67E57AFC-42AF-497B-BFF3-FAF2C0880CE3}.201 to search result
2015-05-27 05:23:51:059 848 514 Agent *
Added update {AAA28BFC-6214-4475-A0EB-E57C780011AA}.200 to search result
2015-05-27 05:23:51:059 848 514 Agent *
Found 117 updates and 77 categories in search; evaluated appl. rules of 771 out
of 1106 deployed entities
2015-05-27 05:23:51:059 848 514 Agent
Reporting status event with 8 installable, 109 installed, 0 installed pending,
0 failed and 0 downloaded updates
Send your whole log to me offline and I’ll take a look.
Todd
From: [email protected] [mailto:[email protected]] On
Behalf Of Gushue, William
Sent: Wednesday, May 27, 2015 2:28 PM
To: [email protected]
Subject: RE: [mssms] RE: Software Updates Applied to Servers Without Approval
From WindowsUpdate.log (this is from different server than before, so I see the
“Agent” is in charge here):
“2015-05-23 02:00:03:150 416 3014 PT
Initializing simple targeting cookie, clientId =
616408b4-eb82-4c8f-b496-c3e9c1c433f3, target group = , DNS name = <FQDN>”
“2015-05-23 02:01:39:230 416 3014 Report REPORT
EVENT: {A4F0A425-39CB-43B3-B24E-88D9D85CFA99} 2015-05-23
02:01:39:137-0400 1 147 101
{00000000-0000-0000-0000-000000000000} 0 0
CcmExec Success Software Synchronization Windows
Update Client successfully detected 243 updates.
2015-05-23 02:01:39:230 416 3014 Report REPORT
EVENT: {AFDDC99D-60FF-4ACC-A555-DE701EBF67AD} 2015-05-23
02:01:39:137-0400 1 156 101
{00000000-0000-0000-0000-000000000000} 0 0 CcmExec
Success Pre-Deployment Check Reporting client status.”
And later, after the install but before checking reboot status:
“2015-05-23 02:55:11:628 240 1264 Agent * Target
group: (Unassigned Computers)”
This group (Unassigned Computers) is from the WSUS server, correct? I have
some systems populated in this group. My question is, are there supposed to be
any systems populated in this group in the WSUS console. If not, then maybe
something is configured incorrectly. I did not configure WSUS upon install,
but let SCCM do it, but who knows. I can’t be coincidence, however, that these
updates installed at around 2:00 am on Saturday morning, which is exactly when
I had this deployment scheduled to run.
I checked auditing logs but could only find deployments for packages, not
software updates.
Also, I has seen this happen live and checked the records in the SCCM console
and even thought the server was running updates, via Software Center, there
were no deployments in the Deployments tab in the properties of the record.
Thanks.
From: [email protected]<mailto:[email protected]>
[mailto:[email protected]] On Behalf Of elsalvoz
Sent: Tuesday, May 26, 2015 10:40 AM
To: [email protected]<mailto:[email protected]>
Subject: Re: [mssms] RE: Software Updates Applied to Servers Without Approval
Well, that means somehow they were targeted with those updates. You don't need
to use SUGs to target an update, they can be done individually. You may be able
to find a report that gives you some details but logs would be the primary
source of info.
Another theory would have been WSUS being used outside SCCM but would not show
up in system center app.
Maybe they were made available and removed after. You can check audit message
in monitoring.
Cesar A
On May 26, 2015 7:03 AM, "Gushue, William"
<[email protected]<mailto:[email protected]>> wrote:
I don’t believe anyone else triggered it. I am more concerned about the fact
that they were targeted in the first place. As these servers were in no
collection that had a Software Update Group targeted to them it, I would assume
that even if they did check for updates against SCCM they would have seen that
nothing was “approved” for the servers and had done nothing. But they did show
up in Software Center (that is how the admins knew it was happening) and they
did reboot (some were being monitored at the time and some weren’t).
Never thought to use Maintenance Windows in that fashion – something to think
about. Thanks.
From: [email protected]<mailto:[email protected]>
[mailto:[email protected]<mailto:[email protected]>]
On Behalf Of Mote, Todd
Sent: Tuesday, May 26, 2015 9:28 AM
To: [email protected]<mailto:[email protected]>
Subject: [mssms] RE: Software Updates Applied to Servers Without Approval
Both can be active at the same time, so sure, they could show up in Software
Center and then get installed by Automatic Updates. Equal opportunity, first
come first serve. ☺ I have a group policy that specifically turns off
Automatic Updates, that I apply to my SCCM clients that use Software Updates to
patch.
Also, make liberal use of Maintenance Windows when patching servers.
Maintenance Windows will make sure you don’t have to worry about SCCM doing
anything until the time you set the maintenance window for. That way it’s easy
to rule out SCCM as a culprit. And you have the flexibility of setting a
window to expire in the past and never having SCCM do anything.
Another thing that bites folks, usually just once, is UTC. Some one way or
another the deployment gets set to happen at UTC rather than local time and it
can seem as though SCCM randomly did something, when in reality, over in
Greenwich, it was exactly the time it was told to do whatever it was told to do.
Another possibility... Are you the only one that could initiate installs? Is
there another administrator that might have started things via Software Center?
Todd
From: [email protected]<mailto:[email protected]>
[mailto:[email protected]] On Behalf Of Gushue, William
Sent: Tuesday, May 26, 2015 8:10 AM
To: [email protected]<mailto:[email protected]>
Subject: [mssms] RE: Software Updates Applied to Servers Without Approval
Another question, though: If they are installed via AU, would this information
still show up in Software Center? The notifications were displayed in Software
Center and it was Software Center that actually performed the reboot (Event
Viewer shows Ccmexec performing the reboot).
From: [email protected]<mailto:[email protected]>
[mailto:[email protected]] On Behalf Of Mote, Todd
Sent: Monday, May 25, 2015 9:06 PM
To: myITforum SMS List
([email protected]<mailto:[email protected]>)
Subject: [mssms] RE: Software Updates Applied to Servers Without Approval
UX usually means ‘user experience’, but you’ve got some other key words in
there like, ‘AU’ and ‘interactive’. Do these servers have Automatic Updates
Group Policy applied anywhere?
In c:\windows\ccm\logs you should be able to see stuff around the scan in
updatesdeployment.log, scanagent.log, datatransferservice.log,
updateshandler.log, updatesstore.log and wuahandler.log to see all of the
updates.
Also, in windowsupdate.log you should see more stuff like this:
2015-05-25 19:14:24:752 5272 14f4 COMAPI
-- START -- COMAPI: Search [ClientId = CcmExec]
2015-05-25 19:14:24:752 5272 14f4 COMAPI
---------
2015-05-25 19:14:24:753 940 c14 Agent
*************
2015-05-25 19:14:24:753 940 c14 Agent ** START
** Agent: Finding updates [CallerId = CcmExec]
2015-05-25 19:14:24:753 940 c14 Agent *********
2015-05-25 19:14:24:753 940 c14 Agent *
Include potentially superseded updates
2015-05-25 19:14:24:753 940 c14 Agent *
Online = No; Ignore download priority = Yes
2015-05-25 19:14:24:753 940 c14 Agent *
Criteria = "((DeploymentAction=* AND Type='Software' AND CategoryIDs contains
'84F5F325-30D7-41C4-81D1-87A0E6535B66') OR (DeploymentAction=* AND
Type='Software' AND CategoryIDs contains
'704A0A4A-518F-4D69-9E03-10BA44198BD5') OR (DeploymentAction=* AND
Type='Software' AND CategoryIDs contains
'6248B8B1-FFEB-DBD9-887A-2ACF53B09DFE') OR (DeploymentAction=* AND
Type='Software' AND CategoryIDs contains
'1403F223-A63F-F572-82BA-C92391218055') OR (DeploymentAction=* AND
Type='Software' AND CategoryIDs contains
'041E4F9F-3A3D-4F58-8B2F-5E6FE95C4591') OR (DeploymentAction=* AND
Type='Software' AND CategoryIDs contains
'B54E7D24-7ADD-428F-8B75-90A396FA584F') OR (DeploymentAction=* AND
Type='Software' AND CategoryIDs contains
'0FA1201D-4330-4FA8-8AE9-B877473B6441'))"
2015-05-25 19:14:24:753 940 c14 Agent *
ServiceID = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7} Managed
2015-05-25 19:14:24:753 940 c14 Agent *
Search Scope = {Machine}
2015-05-25 19:14:24:753 940 c14 Agent *
Caller SID for Applicability: S-1-5-18
2015-05-25 19:14:24:758 5272 14f4 COMAPI
<<-- SUBMITTED -- COMAPI: Search [ClientId = CcmExec]
2015-05-25 19:14:27:089 940 c14 Agent *
Added update {BDB0E301-5660-4DB8-A396-F3C9C0C10776}.201 to search result
2015-05-25 19:14:27:090 940 c14 Agent *
Added update {D391DE02-B9A1-4C5B-B8C1-7ECCA958ACDF}.203 to search result
2015-05-25 19:14:27:090 940 c14 Agent *
Added update {92504704-BF09-4CE5-8436-90B6AE8A842A}.201 to search result
2015-05-25 19:14:27:090 940 c14 Agent *
Added update {28904808-0DBB-4812-9A9A-7E9977ADE38A}.202 to search result
2015-05-25 19:14:27:090 940 c14 Agent *
Added update {09257309-72A1-4622-B9DA-610B9E037E2E}.201 to search result
2015-05-25 19:14:27:090 940 c14 Agent *
Added update {C822D00A-FEC3-4B65-8F63-6E6BEA292944}.203 to search result
That 5th column in yours shows ‘AU’ which typically means Auto Update, and not
‘Agent’ like mine above which should be your sccm client doing stuff.
Looks to me like they did what they were told, it just wasn’t SCCM. Maybe WSUS
via Group Policy?
Todd
From: [email protected]<mailto:[email protected]>
[mailto:[email protected]] On Behalf Of Gushue, William
Sent: Monday, May 25, 2015 2:10 PM
To: myITforum SMS List
([email protected]<mailto:[email protected]>)
Subject: [mssms] Software Updates Applied to Servers Without Approval
I configured a Software Update Group to deploy to a group of servers this past
weekend. A number of other servers ended up installing the updates. I have:
1. Checked the collection (which I have since deleted) to ensure the correct
servers were added.
2. Checked the Properties of the servers that received the updates (even though
they shouldn’t have) and there were NO deployments in the Deployments tab.
3. Checked reports and they tell me the updates were required, but there was no
check mark under “Approved”
4. Checked for Duplicate GUIDs and there are none that apply.
5. Checked the Windows Update log file and see the following:
“2015-05-25 10:26:07:179 1224 5b5c AU
AU received approval from UX for 43 updates
2015-05-25 10:26:07:179 1224 5b5c AU AU
setting pending client directive to 'Progress Ux'
2015-05-25 10:26:07:303 1224 5b5c AU
BeginInteractiveInstall invoked for Download
2015-05-25 10:26:07:303 1224 5b5c AU
Auto-approving update for download, updateId =
{0087DF01-B453-4F5E-B5B4-E61911BCF5A8}.200, ApprovalIsForUx=1, UpdateOwner=UX,
HasDeadline=0, IsMinor=0” – which indicates something approved them, but I am
not sure what “UX” means.
Is there anywhere on the client itself where I can see something to the effect
“I am supposed to apply these updates and it’s because I am in this
collection”? I have been using PolicySpy and checking PolicyEvaluator and
PolicyAgent but have yet to come across why these updates got approved for
these systems. I am usually pretty good at tracking down my own mistakes, but
this one has me stumped.
Thanks.
________________________________
********************************************************************
This e-mail message is privileged, confidential and subject to
copyright. Any unauthorized use or disclosure is prohibited.
Le contenu du présent courriel est privilégié, confidentiel et
soumis à des droits d'auteur. Il est interdit de l'utiliser ou
de le divulguer sans autorisation.
********************************************************************
