• State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 21 subscribers
  • Views 362 views
  • Users 0 members are here
Options
Related
This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

Weird issue with unapproved patches installing

ww2k3

I have a fresh 2008 Server running PM 1.85.  Registered all the downstream servers, set up the approvals on the latest round of updates.  Everything's working pretty great (minus a ticket open for some reporting issues from custom generated reports), until I start gettign calls that a 3rd party update is installing and it shouldn't be based on our approvals.

We have multiple groups based on spcific needs (Adobe group, Apple group, Java Approved group, Java Not Approved group, etc).  The Java Not Approved has, you guessed it, Java 7u25 Not Approved (Inherited) and Java Approved set to Approved for Install.  This is shown on the Patch manager server as well as the downstream server that reports to it.  However, pc's are getting the Java update.  In the windowsupdate.log it show's it's coming in from WSUS.

Any ideas or need more info?  This is boggling my mind.

  • 0

    If the Java Not Approved group has the update package set to Not Approved (Inherited), and the Java Approved group has the update package set to Approved for Install, and some computers in the Java Not Approved group are getting the update anyway, the logical inference is that those computers have been accidentally assigned to both groups.

    Pick one of those computers that received the update that should not have, find the computer in the All Computers group of the upstream server, select the computer, click on "Change Group Membership" in the Actions Pane, and observe the actual group(s) configured for that computer.

    Also potentially relevant is whether these groups are peer-groups, or parent-child groups, because inheritance of approvals is the default behavior. (e.g. a "Not for approval" group should never be a subgroup of another group where the update would be approved.)

  • 0 in reply to LGarvin

    Group approval looked good for the test pc.  However, got to thinking about this overnight before your reply and remembered, I had an issue with auto approvals and this update had been initially auto approved (all of them did to be exact, but only Java is one we segregate into Approved/Not Approved based on groups) due to auto approvals set on my WSUS server.  So I manually set Java to Not Approved rather than inherited, so far i'm not seeing new instances.


    Thanks sir for giving me somethign else to check as well.

SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 195,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.

SolarWinds Customer Success Center Certification Media Vault Link Accounts
About THWACK Blogs For Government Edit Settings Free Tools & Trials
Legal Documents Terms of Use Privacy California Privacy Rights Security Information
©2024 SolarWinds Worldwide, LLC. All Rights Reserved.