8 Replies Latest reply on Sep 11, 2014 1:18 PM by pmaldonato

    I have a question about updates being approved automatically.

    pmaldonato

      The last two months when the Microsoft patches have been released our patch manager software has been approving random patches for random groups. There's only two of us with access to the patch manager console and neither of us had approved them. I also checked the task history and don't see any notification of approval. I was wondering if anyone else had run into this situation before. I'm really lost as to where I can even begin to check for how they're being approved. Any help or direction would be greatly appreciated. Thanks in advance.

       

      The only thing that I know of that has changed is that we recently renewed our maintenance contract.

        • Re: I have a question about updates being approved automatically.
          Lawrence Garvin
          our patch manager software has been approving random patches for random groups.

          This is functionally impossible. :-)

           

          Any Approvals issued from Patch Manager would generate a Task History entry for the approval task, whether done interactively or scheduled. There may be Automatic Approval rules in place on the WSUS server causing this, but Patch Manager does not have the capability to create/manage Automatic Approval rules. They must be created via the native console.

           

          You can review approvals, when they were set, the groups they were set for, and the user account used to set them with the Patch Manager console on the Update Approvals tab of the WSUS node.

          Updates approved by Automatic Approval rules will be recorded under the "Approved By" of "WUS Server", as highlighted here.

          9-11-2014 9-55-16 AM.png

          1 of 1 people found this helpful
            • Re: I have a question about updates being approved automatically.
              pmaldonato

              Lawrence thanks for the quick reply. I didn't think it was possible, but as I mentioned I was at a loss as to how they could have been approved. I checked the update approvals rule and found that they were being approved literally one second after the server received them by the logon that we use for the wsus server. It looks like it's the server somehow approving them. I'll have to check the windows update log and event viewer on the update server and see if I can find anything. If you know of anywhere else I can check it would be appreciated.

                • Re: I have a question about updates being approved automatically.
                  Lawrence Garvin

                  That's classic behavior of an Automatic Approval Rule having been enabled on the WSUS server.

                  Go to Options -> Automatic Approvals in the native console to access and manage them.

                    • Re: I have a question about updates being approved automatically.
                      pmaldonato

                      I went there and under the advanced tab it has check marks for revisions to updates automatically approve new revisions of updates that were already approved and automatically decline updates when a new revision causes them to expire. My only question is why it would start just this month (my original post was incorrect it wasn't the past two months)? I guess I have to check and see if these updates were revisions. I'd find that hard to believe, but I guess it's possible.

                       

                      Thanks again for all the help.

                        • Re: I have a question about updates being approved automatically.
                          Lawrence Garvin

                          This is the part of that dialog you want to check:

                           

                          9-11-2014 11-23-51 AM.png

                          1 of 1 people found this helpful
                            • Re: I have a question about updates being approved automatically.
                              pmaldonato

                              There is one rule in there "Default Automatic Approval Rule" It's not checked, but it's set for when an update is in a specific classification (critical Updates, Security Updates) approve the update for all computers. I did notice in the server sync logs that on 9/2 there were 4 new and 114 revised updates and on 9/9 there were 94 new and 96 revised updates released. I think what I'm seeing approved automatically is the revised updates. This would make sense according to my previous post which I saw that revisions of updates already approved should be automatically approved. With the exception of August 18th when there were 90 going back to June of this past year in the sync logs there were never even close to that many revisions released by Microsoft. Does this seem to make sense to you that these are revisions of already approved updates? That's what I'm thinking is going on.

                               

                              Thanks.

                                • Re: I have a question about updates being approved automatically.
                                  Lawrence Garvin

                                  =96= revised updates on 9/9 and =114 on 9/2? Wow! (I had not yet noticed, or heard about, that.)

                                   

                                  Yes, 96 revised updates would definitely have created that kind of activity, and it sounds like you do not have any Automatic Approval rules enabled, so auto-approving revisions is really the only other thing that can account for this.

                                   

                                  It also explains why you saw the approvals against the LOGON account rather than the "WUS Server" identifier (which was bugging me, and I would have come back to it as another path to follow if that had been necessary).

                                    • Re: I have a question about updates being approved automatically.
                                      pmaldonato

                                      Lawrence thanks again for all the help. It was indeed revised updates being automatically approved. Another way I found this to be true was that one of the updates was approved by a user who is no longer here. I guess when it's a revised update it refers to the original approved account. This was definitely a new one for me. I really appreciate all the help and advice you gave. It was a big help in pointing me in the right direction.

                                       

                                      Thanks again.