So, I am coming to a close on our Windows Update Server project. We successfully have our workstations group, dev group, stage group, all receiving updates. Everything working correctly. Ive used this board a lot during this process (Lawrence provides some great insight).
The last part of this project, was create the Production servers group and detect all of the machines. (finally came to this point after correcting a sysvol repl issue that was causing policies to not replicate between DCs.
Anywho, Last night..... All of these servers rebooted. I knew right away it was wsus based on the time it started happening. The only problem is, I just created this group this week and I have never approved a single update for it. How could WSUS have gotten the green light to download and install updates to this group? I checked the system logs of some of the DCs in this group and sure enough, updates were installed. We are working on coming up with a manual or automated reboot order for this group, so I was not prepared for these machines to do this.
One thing I can mention that may help, When I go to approved updates and click on any given update to see which groups it was approved for, I do see the other groups list "install" under the approval header. For this production group and for unassigned computers, it says "Not Approved (Inherited).
Is my WSUS behaving correctly or is this not correct? Is the "(inherited)" a giveaway that somehow this group is getting an approval?
Please let me know if any more information about my setup such as the GPO config is needed.
Thanks!