Forum Discussion
Unexpected Automatic Windows Server Updates Despite GPO and WSUS Configurations
Hello everyone,
I am experiencing a disruptive issue across a number of our Windows servers (ranging from Server 2012 to Server 2022). Despite a carefully managed WSUS implementation and GPO enforcement for Windows Updates, we have been facing an issue where several updates are getting automatically installed on these servers. The problem is, these updates are not ones we have explicitly approved, nor are they manually triggered for download/installation.
The automatic reboots following these installations are causing significant service disruptions. Furthermore, the behavior seems to be somewhat random, which makes it even more challenging to root cause.
Here is a summary of the GPO and WSUS configurations, and what I have verified so far:
- The GPO for Windows Updates is configured to '4 - Auto download and schedule the install'. The RSOP confirmed that there are no conflicting GPOs.
- WSUS is functioning correctly and the automatic approval of updates has been disabled.
- Dual Scan is not a factor as it's not relevant to the Windows Server versions we're using.
- It has been confirmed that the updates in question are indeed WSUS updates, but they haven’t been approved by us.
- The issue does not pertain to pre-downloaded update files or Service Stack Updates (SSUs).
Given the above points, I am having a hard time figuring out why these updates are being installed and causing unplanned reboots.
I would really appreciate it if anyone who has encountered a similar issue or anyone with insights could shed some light on this.
Thank you in advance for your assistance!
Best
3 Replies
Hello Rickjwjanssen, have you been able to solve this issue?
- Hello,
First, I would avoid disabling automatic approval of updates - it's a tedious, time-consuming job, and very prone to mistakes. Let WSUS do it - just do not configure deadlines, and manage deployments using GPO.
As usual, make sure host OS for your GPMC is still supported (2019, but I strongly recommend 2022) and fully updated. Make sure your Central Store is also up-to-date with latest ADMX (that would June, 2023).
Check your GPO settings again. Then check WSUS configuration, and Windows Update logs on servers. There should be something wrong there. - Experienced a similar issue this week with an Exchange Update.
Scenario:
Servers in group A update every Saturday (First Week)
Servers in group B update every Saturday (Second Week)
Both set via separate GPOs and separate security groups
Situation:
On the second Saturday of this month BOTH groups of servers scheduled the update and installed/rebooted.
Investigation:
Have inspected all GPOs, no conflicts, the only GPO setting I have found is "Enable Client-Side Targeting" has a configuration of ALL GROUPS (which both group A and B are a part of) but from reading the GPO it only relates to what updates it receives from WSUS, not when it schedules to install them.
