Solved

Windows server update service and workstations

Posted on 2006-06-18
19
248 Views
Last Modified: 2010-04-18
I'm wondering how one configures workstations for the Windows update service when the windows update service is located on the local aera network?

I.e. I'm using wsus to download the patches, and want to configure certain workstations to have the updates downloaded from the wsus server.

Do I have to go to each workstation and make a change or is there a global policy that can be done. (I only want workstations updated, not the servers as I want to do the servers manually)

Thanks
0
Comment
Question by:john_s99
  • 7
  • 6
  • 4
19 Comments
 
LVL 51

Accepted Solution

by:
Netman66 earned 125 total points
Comment Utility
You can create a new OU and move all the computers into it that you want to use your WSUS server (this assumes you haven't done this already).
Create a new GPO linked to this OU.
Set these settings in the GPO:

Computer Config>Admin Templates>Windows Components>Windows Update ::

> Specify intranet Microsoft update service location
> Configure Automatic updates


These are the 2 important ones.  The rest of the elements in Windows Update are to fine tune things.

0
 
LVL 51

Expert Comment

by:Netman66
Comment Utility
Anything else you might want to know can be found here (great reference):

http://www.wsuswiki.com/

0
 
LVL 104

Assisted Solution

by:Sembee
Sembee earned 125 total points
Comment Utility
The way that I do it is to have three group policy settings covering two OUs.

The first GP template is the base. This specifies the intranet location, detection time etc.
The second GP template is for the workstations. This sets the behaviour of automatic updates and includes a tag to sort them in to the correct group.
The third GP template is for the servers. This is linked to the domain controllers OU and a separate OU for the member servers. You have to be really careful with moving the servers around in the domain. You don't move the domain controllers unless you are really sure as that can screw things up. Similarly Exchange servers can get upset if things are moved around wrongly.

On the WSUS server, create two groups, one called Servers, one called Workstations. Set the WSUS to use group policy for sorting the machines.

What that means is you can set the workstations to install, the server to detect. Or a mix, or set the workstations to force installation, with the servers download and prompt - or a combination. You have control over what is happening, what the machines need and how it is installed, while still having the advantages of a local download point.

Simon.
0
 

Author Comment

by:john_s99
Comment Utility

  Is there a way to force the computers to reboot after an update is done. (i.e. have the systems reboot at 3am after the update when no one is using them?)

Thanks
0
 
LVL 104

Expert Comment

by:Sembee
Comment Utility
The group policy does that.

Simon.
0
 

Author Comment

by:john_s99
Comment Utility
But where in GPO, as I didn't see where to set the time for reboot...
0
 
LVL 104

Expert Comment

by:Sembee
Comment Utility
You don't set the time for the reboot, but the time for the installation. So you would set the machines to install at 3am and then reboot.

There is a setting "No Auto Restart for scheduled Automatic Update Installations". If you disable that, then the machine will restart automatically 5 minutes after the installation is complete.

Simon.
0
 

Author Comment

by:john_s99
Comment Utility
What is strange now, is I setup the auto update at 3am but there is no status report for that time.

The only time the last status was is when I logged in as administrator and not as the user.

The updates were flagged as detect only and not install, so I changed the updates to install.

But what rights does the user need to install the updates? (power user, standard user, administrator?)

Thanks
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 51

Expert Comment

by:Netman66
Comment Utility
The user doesn't need any further rights.  At 3am, the updates will install and the computer will reboot - but only if the user is logged off.

A normal user will not see any update shield in the tray and should not be aware of anything that happens.

0
 
LVL 104

Expert Comment

by:Sembee
Comment Utility
There is a setting to allow a non-administrator to install updates. If you don't enable that, then they will not see anything.

Simon.
0
 
LVL 51

Expert Comment

by:Netman66
Comment Utility
The danger to enabling this is that if they don't choose to do the update via the shield it doesn't happen.

I would leave the default behiour as it is.

0
 

Author Comment

by:john_s99
Comment Utility
So if a user is logged in, the updates will happen but the system won't reboot?

Also on the wsus admin page on the server, it says detect only... Do I have to change every update from detect to install? (as there are over 600+ that say detect only)

Thanks
0
 
LVL 104

Expert Comment

by:Sembee
Comment Utility
You need to change them to install to install.
You can select them in bulk and choose Install. It will take a while to tag them all, so leave it to get one with it.

With the correct group policy settings, the updates can install automatically no matter who is logged in. If it is a normal user they will get nagged at intervals. I usually set this to every 45 minutes, although if I need the update to be applied immediately I have set it to every 5 minutes and slowly turn it down to every minute - usually with associates email messages telling the users to reboot.

Simon.
0
 

Author Comment

by:john_s99
Comment Utility
Will WSUS do Office updates too?

Thanks
0
 
LVL 104

Expert Comment

by:Sembee
Comment Utility
It will. It does Office 2002 and Office 2003. It has just done some updates overnight for Excel.

Simon.
0
 

Author Comment

by:john_s99
Comment Utility
Ok, there were some updates that were done and when I went into the WSUS admin screen some said a reboot is required. (I thought the PC's rebooted automatically after the updates were done?)

These systems are Windows 2000 Professional

Thanks
0
 
LVL 104

Expert Comment

by:Sembee
Comment Utility
The WSUS admin information is not live. It is the status when the machine last called in.
Therefore if was waiting to be rebooted last time the machine called in, that is what is would be recorded.

You can force the machine to call home with the latest update information by dropping in to a command prompt and typing

wuauclt /detectnow

You could also cut down the time between detections in the group policy. The default is 22 hours. I usually run between 3 and 6 hours.

Simon.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

So you have two Windows Servers and you have a directory/folder/files on one that you'd like to mirror to the other?  You don't really want to deal with DFS or a 3rd party solution like Doubletake. You can use Robocopy from the Windows Server 200…
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now