WSUS clients in Azure not auto install/reboot at GPO configured time

-

hi all,

we have wsus deployed on prem , extended via vpn our azure vms.  connectivity perfect, updates being downloaded both on prem , azure vms, checking in regularly.

the on prem servers , azure vms have same gpo settings applied.

e.g.

windows components/windows update  policy	setting	comment  automatically restart @ scheduled time	enabled	  restart timer give users  time save  work (minutes): 	15  policy	setting	comment  automatic updates detection frequency	enabled	  check updates @ following  interval (hours): 	6  policy	setting	comment  configure automatic updates	enabled	  configure automatic updating:	4 - auto download , schedule install  following settings required , applicable if 4 selected.  install during automatic maintenance	disabled  scheduled install day: 	1 - every tuesday  scheduled install time:	04:00  policy	setting	comment  not connect windows update internet locations	enabled	  not display 'install updates , shut down' option in shut down windows dialog box	enabled	  enable client-side targeting	enabled	  target group name computer	dev  policy	setting	comment  no auto-restart logged on users scheduled automatic updates installations	disabled	  specify intranet microsoft update service location	enabled	  set intranet update service detecting updates:	http://ourwsusserver.domain.int:8530  set intranet statistics server:	http://ourwsusserver.domain.int:8530  (example: http://intranetupd01)  policy	setting	comment  turn off upgrade latest version of windows through windows update	enabled

the on prem servers automatically installing , rebooting on configured day , time when updates approved.

the azure vms not.  there's nothing in windowsupdate.log regarding failures install or reboot  nor errors entries windowsupdateclient source in system log. 

there informational  logs in system before appointing install/reboot time show wu client has patches downloaded , ready install:

log name:      system  source:        microsoft-windows-windowsupdateclient  date:          7/18/2016 6:29:52 pm  event id:      17  task category: automatic updates  level:         information  keywords:      success,download  user:          system  computer:      servername.domain.int  description:  installation ready: following updates downloaded , ready installation:   - security update microsoft .net framework 4.5.2 on windows 8.1 , windows server 2012 r2 x64 (kb3163291)  - security update microsoft .net framework 3.5 on windows 8.1 , windows server 2012 r2 x64 (kb3163247)  - security update windows server 2012 r2 (kb3170455)  - definition update microsoft endpoint protection - kb2461484 (definition 1.225.1834.0)  - security update windows server 2012 r2 (kb3172727)  - security update windows server 2012 r2 (kb3168965)  - cumulative security update internet explorer 11 windows server 2012 r2 (kb3170106)  - security update windows server 2012 r2 (kb3170377)  - security update windows server 2012 r2 (kb3169704)


the difference between our on prem devices , azure vms in wsus have definition updates system center endpoint protection configured automatically approve install.  see these being installed:

log name:      system  source:        microsoft-windows-windowsupdateclient  date:          7/18/2016 6:29:57 pm  event id:      43  task category: windows update agent  level:         information  keywords:      started,installation  user:          system  computer:      servername.domain.int  description:  installation started: windows has started installing following update: definition update microsoft endpoint protection - kb2461484 (definition 1.225.1834.0)    log name:      system  source:        microsoft-windows-windowsupdateclient  date:          7/18/2016 6:31:05 pm  event id:      19  task category: windows update agent  level:         information  keywords:      success,installation  user:          system  computer:      servername.domain.int  description:  installation successful: windows installed following update: definition update microsoft endpoint protection - kb2461484 (definition 1.225.1834.0)

is having these updates being automatically approved , installed "confusing" wu client doesn't install rest of updates @ configured install day/time?

i know there gpo setting "allow automatic updates immediate installation" have undefined.  need enabled allow scep updates install they're approved while remaining updates install/reboot @ configured day/time?

any other ideas on check?

i found out culprit iaas antimalware vm extension (scep).

i opened a case msft.

ironically, automatic scep definition updates install fine wsus server, os updates did not.


Windows Server  >  WSUS



Comments

Post a Comment

Popular posts from this blog

Motherboard replacement

-
running windows 10 technical preview, need replace motherboard can run the  sysprep  command restoring pc ? or there easier  or more preferred way ? thanks if replace motherboard within same family of chipsets (i.e. intel > intel or amd > amd), should okay restarting pc twice. carey frisch Windows 10 Insider Preview  >  Windows 10 Insider Preview General
Read more

Cannot create Full Text Search catalog after upgrading to V12 - Database is not fully started up or it is not in an ONLINE state

-
in order access new full text search capiblities of sql azure, upgraded our azure sql v12. (a day later), when try create new catalog: create fulltext catalog mycatalog default i following message: msg 9972, level 16, state 100, line 1 database not started or not in online state. try full-text ddl command again after database started , becomes online. hi scott, apologies inconvenience caused you. known issue on service side , fix going included in next update. specific case mitigated, should able use full-text search syntax now. thanks, mihaela Microsoft Azure  >  Azure SQL Database
Read more

Remote Desktop App - Error 0x207 or 0x607

-
hi all, i manage windows 2012 r2 network, including connection broker, session hosts , remote apps virtual servers.  i've used remote desktop app on own android phone, no issues @ - connects published gateway url , can login , access network. we looking move business onto nokia handsets ms operating system (currently on blackberry), not able connect via remote desktop app on nokia lumia handset. setup, per android config , brings remote apps , remote desktop screen, know can connect.  when select remote desktop, shows following process: initiating remote connection securing remote connection certificate can't verified - choose connect it digitally signed cert (digicert sha2), pc name different physical connection broker name (inherited domain name old gov project - can't publish publicly) initiating establishing securing connection error have been 0x207 getting 0x607 a bit baffled, work on android (and ipad @ home using app). assume ms use d...
Read more