WSUS: Using change.log to track updates that were declined (with scenarios)


 

Hello Folks, Many a times we do get some issues where we need to find why an update was installed, or Update that were declined soon after an incorrect deployment. The below blog post illustrates the different scenarios recorded in the change.log when an update is declined. The good thing to notice here is it mentions the time, KB and the user who did the change.

 

Scenario 1:

 

1.Update is approved.

 

2012-09-11 19:46:50.662 UTC              Successfully deployed deployment(Install) of Security Update for Windows XP Embedded (KB2286198) by NINJAS\Administrator UpdateID:D1B5B435-D965-4023-93FB-47798431EDCB Revision Number:104 TargetGroup: xyzUnassigned Computers

 

2. The same update is then un-approved

 

2012-09-11 19:49:17.670 UTC              Deleted deployment(Install) of Security Update for Windows XP Embedded (KB2286198) by NINJAS\Administrator UpdateID:D1B5B435-D965-4023-93FB-47798431EDCB Revision Number:104 TargetGroup: xyzUnassigned Computers

2012-09-11 19:49:17.670 UTC              Successfully deployed deployment(Block) of Security Update for Windows XP Embedded (KB2286198) by NINJAS\Administrator UpdateID:D1B5B435-D965-4023-93FB-47798431EDCB Revision Number:104 TargetGroup: xyzUnassigned Computers

 

3. The same update is then re-approved

 

2012-09-11 19:49:44.853 UTC              Deleted deployment(Block) of Security Update for Windows XP Embedded (KB2286198) by NINJAS\Administrator UpdateID:D1B5B435-D965-4023-93FB-47798431EDCB Revision Number:104 TargetGroup: xyzUnassigned Computers

2012-09-11 19:49:44.853 UTC              Successfully deployed deployment(Install) of Security Update for Windows XP Embedded (KB2286198) by NINJAS\Administrator UpdateID:D1B5B435-D965-4023-93FB-47798431EDCB Revision Number:104 TargetGroup: xyzUnassigned Computers

 

Scenario 2:

 

1.Update is approved.

 

2012-09-11 19:46:50.662 UTC              Successfully deployed deployment(Install) of Security Update for Windows XP Embedded (KB2286198) by NINJAS\Administrator UpdateID:D1B5B435-D965-4023-93FB-47798431EDCB Revision Number:104 TargetGroup: xyzUnassigned Computers

 

2. The same update is declined.

 

2012-09-11 19:49:17.670 UTC              Deleted deployment(Install) of Security Update for Windows XP Embedded (KB2286198) by NINJAS\Administrator UpdateID:D1B5B435-D965-4023-93FB-47798431EDCB Revision Number:104 TargetGroup: xyzUnassigned Computers

 

Scenario 3:

 

1.Update is approved.

 

2012-09-11 19:46:50.662 UTC              Successfully deployed deployment(Install) of Security Update for Windows XP Embedded (KB2286198) by NINJAS\Administrator UpdateID:D1B5B435-D965-4023-93FB-47798431EDCB Revision Number:104 TargetGroup: xyzUnassigned Computers

 

2. The same update is then un-approved

 

2012-09-11 19:49:17.670 UTC              Deleted deployment(Install) of Security Update for Windows XP Embedded (KB2286198) by NINJAS\Administrator UpdateID:D1B5B435-D965-4023-93FB-47798431EDCB Revision Number:104 TargetGroup: xyzUnassigned Computers

2012-09-11 19:49:17.670 UTC              Successfully deployed deployment(Block) of Security Update for Windows XP Embedded (KB2286198) by NINJAS\Administrator UpdateID:D1B5B435-D965-4023-93FB-47798431EDCB Revision Number:104 TargetGroup: xyzUnassigned Computers

 

3. The same update is then declined

 

2012-09-11 19:49:44.853 UTC              Deleted deployment(Block) of Security Update for Windows XP Embedded (KB2286198) by NINJAS\Administrator UpdateID:D1B5B435-D965-4023-93FB-47798431EDCB Revision Number:104 TargetGroup: xyzUnassigned Computers

 

Scenario 4:

 

The update is declined direclty:

 

No change in the change.log

 

So here we come to one conclusion that just by getting the lines;

 

1. Deleted deployment(Install)

2. Deleted deployment(Block)

 

We can’t come to the conclusion if the update was manually declined as we see that under different scenarios of approve and un-approve we can get this lines.

 

So then the big question comes is how to check if the update got declined by right clicking it?

 

So if it was declined before the approval as in scenario 4. We could not even get to know this.

 

But if the update was declined manually after the approval status changed then we have a catch to get that:

We see that whenever we decline the update we get only one line without any combination of Successfully deployed deployment(Install) or Successfully deployed deployment(Block)

 

So if we see a series of only one of the below mentioned statement (without any other combination) in the change.log for an update for different target group(s):

 

1.        Deleted deployment(Block): This would mean the update was declined when it was set for un-approved.

2.       Deleted deployment(Install): This would mean the update was declined when it was approved.

 

Now having this information I checked the same for the updates we had:

 

Update KB –        2685939:

The series of only the one statement: (Means the update was declined in the up-approved state)

 _____________________________________________________________________________

2012-08-17 20:53:16.796 UTC        Deleted deployment(Block) of Security Update for Windows Server 2008 R2 x64 Edition (KB2685939) by Ninjas\Administrator UpdateID:4C7AA3E4-0DD0-4F69-81B8-3FA978098C17 Revision Number:101 TargetGroup: xyz

2012-08-17 20:53:16.796 UTC        Deleted deployment(Block) of Security Update for Windows Server 2008 R2 x64 Edition (KB2685939) by Ninjas\Administrator UpdateID:4C7AA3E4-0DD0-4F69-81B8-3FA978098C17 Revision Number:101 TargetGroup: xyz

2012-08-17 20:53:16.796 UTC        Deleted deployment(Block) of Security Update for Windows Server 2008 R2 x64 Edition (KB2685939) by Ninjas\Administrator UpdateID:4C7AA3E4-0DD0-4F69-81B8-3FA978098C17 Revision Number:101 TargetGroup: xyz

2012-08-17 20:53:16.812 UTC         Deleted deployment(Block) of Security Update for Windows Server 2008 R2 x64 Edition (KB2685939) by Ninjas\Administrator UpdateID:4C7AA3E4-0DD0-4F69-81B8-3FA978098C17 Revision Number:101 TargetGroup: xyz

2012-08-17 20:53:16.812 UTC         Deleted deployment(Install) of Security Update for Windows Server 2008 R2 x64 Edition (KB2685939) by Ninjas\Administrator UpdateID:4C7AA3E4-0DD0-4F69-81B8-3FA978098C17 Revision Number:101 TargetGroup: xyz

______________________________________________________________________________

Hope this helps.

Umair Khan

Support Escalation Engineer | Microsoft System Center ConfigMgr  

Disclaimer:
This posting is provided “AS IS” with no warranties and confers no rights.

Comments (1)

  1. Raji says:

    Is there a way to check whether a deadline was set while approving patches from wsus?

Skip to main content