myITforum and Windows IT Pro Forums

 Audit Windows Update Installations w/ SCCM

Author Message
pkutz

  • Total Posts : 44
  • Scores: 0
  • Reward points : 18790
  • Joined: 5/13/2003
  • Location: Portland, OR
  • Status: offline
Audit Windows Update Installations w/ SCCM Tuesday, March 13, 2012 3:06 PM (permalink)
0
Does anyone know where I can find out who installed Windows Updates using SCCM?  Someone rebooted a server in the middle of the day (by installing updates) & I need to know who.
 
I've checked the following:
1) UpdatesDeployment.log:
"InstallUpdates Initiated by user"
That's not helpful...
 
2) WMI - Win32_QuickFixEngineering
The InstalledBy field just says SYSTEM.
 
...and I can't find anything in the event logs.  Does anyone have an idea?
Thanks
-p
 
#1
    npherson

    • Total Posts : 398
    • Scores: 59
    • Reward points : 74620
    • Joined: 8/19/2009
    • Location: Saint Paul, Minnesota
    • Status: offline
    Re:Audit Windows Update Installations w/ SCCM Tuesday, March 13, 2012 4:42 PM (permalink)
    0
    There might be an easier or more definitive way, but the only thing I can come up with right now is:
     
    Look at the time that "InstallUpdates Initiated by user" appeared in the UpdatesDeployment.log and correlate that with logon information in the Security Event log.
     
    Although, be prepared for whomever it is to ask "why weren't reboots suppressed?" if you are looking to hang somebody.
     
    As an aside, I'm very excited for CM12 because of the ease of use around management windows and updates.  This type of thing shouldn't happen near as much in the future.
     
     
    I hope that helps,
     
     
    Nash
     
    #2
      pkutz

      • Total Posts : 44
      • Scores: 0
      • Reward points : 18790
      • Joined: 5/13/2003
      • Location: Portland, OR
      • Status: offline
      Re:Audit Windows Update Installations w/ SCCM Tuesday, March 13, 2012 4:51 PM (permalink)
      0
      Lol...forgot to mention it's a Remote Desktop server, so about 80 users were connected at that time.  That's part of the reason I'd like to figure this out - to make sure a user didn't have access rights that they shouldn't have...
       
      Oddly enough, the reboots were suppressed for about 12 hours until somehow Windows decided it was a good time to reboot, which killed 13 connected sessions.  (which makes even less sense, but I have the logs to prove that - and no, it wasn't during a scheduled maintenance window).  
       
       
       
      #3
        Online Bookmarks Sharing: Share/Bookmark

        Jump to:

        Current active users

        There are 0 members and 1 guests.

        Icon Legend and Permission

        • New Messages
        • No New Messages
        • Hot Topic w/ New Messages
        • Hot Topic w/o New Messages
        • Locked w/ New Messages
        • Locked w/o New Messages
        • Read Message
        • Post New Thread
        • Reply to message
        • Post New Poll
        • Submit Vote
        • Post reward post
        • Delete my own posts
        • Delete my own threads
        • Rate post

        2000-2014 ASPPlayground.NET Forum Version 3.9