• WSUS Bypass?

    Home » Forums » Admin IT Lounge » Admin IT Lounge – Miscellaneous » WSUS Bypass?

    Tags:

    Author
    Topic
    dportenlanger
    AskWoody Lounger
    June 21, 2018 at 9:56 am #199047

    Today I had a very alarming situation in a WSUS environment.  For some reason, servers have 2018-06 patches waiting to be installed.  Why is this alarming?  Because automatic approval is turned off and 2018-06 patches have not been approved.

    Has anyone else experienced this issue?

    Auto approve is off
    2018-06 is unapproved
    2018-06 updating anyway

     

    Reply | Quote
    Viewing 2 reply threads
    Author
    Replies
    • Susan Bradley
      Manager
      June 21, 2018 at 10:38 am #199069

      Do you have dual scan disabled?

      “Do not allow update deferral policies to cause scans against windows update”

      If you have WSUS

      If you have any of the WUforBusiness deferral policies in place this triggers (IMHO a bug) whereby the system then looks to WU not WSUS.

      You have to put that group policy in place to get it to use WSUS rules only.

      https://blogs.technet.microsoft.com/yongrhee/2018/03/12/windows-10-v1607-dualscan-behavior-when-do-not-allow-update-deferral-policies-to-cause-scans-against-windows-update-is-set/

      https://blogs.technet.microsoft.com/wsus/2017/08/04/improving-dual-scan-on-1607/

      Susan Bradley Patch Lady/Prudent patcher

      2 users thanked author for this post.
      ch100, PKCano
      Reply | Quote
    • dportenlanger
      AskWoody Lounger
      June 21, 2018 at 11:33 am #199083

      So, to clarify, if there is a deferral policy, Windows bypasses the WSUS policy in favor of WU.  I did find a deferral policy for CBB and 365 and disabled it.  Now behavior appears to be normal again.  I will discuss the policy with the customer.  Thank you for the information.

       

      Reply | Quote
      • ch100
        AskWoody_MVP
        June 22, 2018 at 12:44 am #199233

        You have to question yourself why you use deferal policies in managed systems in the first place. I know Susan has a different point of view than mine, but I personally have higher expectations from IT Professionals in terms of testing, understanding the issues involved and at the end of the day spending the time required for all those above.
        You have to understand that I am more large enterprise and virtualisation oriented while Susan is more SMB oriented, although there is a large degree of overlapping.

        Reply | Quote
    • Susan Bradley
      Manager
      June 21, 2018 at 1:12 pm #199119

      IMHO I do both.

      Set deferral policies

      Set the policy to block dual scan

      I can then assure myself that users can’t MU and accidentally grab a feature release and then I’m not having machines bypass WSUS.

      Susan Bradley Patch Lady/Prudent patcher

      1 user thanked author for this post.
      ch100
      Reply | Quote
      • ch100
        AskWoody_MVP
        June 22, 2018 at 11:53 pm #199386

        You might consider blocking MU completely instead of using deferal policies.
        It all depends on requirements and to a certain extent on the systems engineer/administrator’s style.

        Reply | Quote
    Viewing 2 reply threads
    Reply To: WSUS Bypass?

    You can use BBCodes to format your content.
    Your account can't use all available BBCodes, they will be stripped before saving.

    Your information:




DON'T MISS OUT!
Subscribe to the Free Newsletter
We promise not to spam you. Unsubscribe at any time.
Invalid email address

View the Forum

  • Recent Replies
  • My Replies
  • My Active Topics
  • New Posts in the Last day
  • Private Messages
  • Knowledge Base
  • How to use the Forums
  • All Forums

    • Recent Topics

    My Profile

    May 2025
    S M T W T F S
     123
    45678910
    11121314151617
    18192021222324
    25262728293031

    Remembering Woody

     

    Want to Advertise in the free newsletter? How about a gift subscription in honor of a birthday? Send an email to sb@askwoody.com to ask how.

    Mastodon profile for DefConPatch
    Mastodon profile for AskWoody

     

    Home About FAQ Posts & Privacy Forums My Account
    Register Free Newsletter Plus Membership Gift Certificates MS-DEFCON Alerts

    Copyright ©2004-2025 by AskWoody Tech LLC. All Rights Reserved.