john_s99
asked on
Windows server update service and workstations
I'm wondering how one configures workstations for the Windows update service when the windows update service is located on the local aera network?
I.e. I'm using wsus to download the patches, and want to configure certain workstations to have the updates downloaded from the wsus server.
Do I have to go to each workstation and make a change or is there a global policy that can be done. (I only want workstations updated, not the servers as I want to do the servers manually)
Thanks
I.e. I'm using wsus to download the patches, and want to configure certain workstations to have the updates downloaded from the wsus server.
Do I have to go to each workstation and make a change or is there a global policy that can be done. (I only want workstations updated, not the servers as I want to do the servers manually)
Thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Is there a way to force the computers to reboot after an update is done. (i.e. have the systems reboot at 3am after the update when no one is using them?)
Thanks
The group policy does that.
Simon.
Simon.
ASKER
But where in GPO, as I didn't see where to set the time for reboot...
You don't set the time for the reboot, but the time for the installation. So you would set the machines to install at 3am and then reboot.
There is a setting "No Auto Restart for scheduled Automatic Update Installations". If you disable that, then the machine will restart automatically 5 minutes after the installation is complete.
Simon.
There is a setting "No Auto Restart for scheduled Automatic Update Installations". If you disable that, then the machine will restart automatically 5 minutes after the installation is complete.
Simon.
ASKER
What is strange now, is I setup the auto update at 3am but there is no status report for that time.
The only time the last status was is when I logged in as administrator and not as the user.
The updates were flagged as detect only and not install, so I changed the updates to install.
But what rights does the user need to install the updates? (power user, standard user, administrator?)
Thanks
The only time the last status was is when I logged in as administrator and not as the user.
The updates were flagged as detect only and not install, so I changed the updates to install.
But what rights does the user need to install the updates? (power user, standard user, administrator?)
Thanks
The user doesn't need any further rights. At 3am, the updates will install and the computer will reboot - but only if the user is logged off.
A normal user will not see any update shield in the tray and should not be aware of anything that happens.
A normal user will not see any update shield in the tray and should not be aware of anything that happens.
There is a setting to allow a non-administrator to install updates. If you don't enable that, then they will not see anything.
Simon.
Simon.
The danger to enabling this is that if they don't choose to do the update via the shield it doesn't happen.
I would leave the default behiour as it is.
I would leave the default behiour as it is.
ASKER
So if a user is logged in, the updates will happen but the system won't reboot?
Also on the wsus admin page on the server, it says detect only... Do I have to change every update from detect to install? (as there are over 600+ that say detect only)
Thanks
Also on the wsus admin page on the server, it says detect only... Do I have to change every update from detect to install? (as there are over 600+ that say detect only)
Thanks
You need to change them to install to install.
You can select them in bulk and choose Install. It will take a while to tag them all, so leave it to get one with it.
With the correct group policy settings, the updates can install automatically no matter who is logged in. If it is a normal user they will get nagged at intervals. I usually set this to every 45 minutes, although if I need the update to be applied immediately I have set it to every 5 minutes and slowly turn it down to every minute - usually with associates email messages telling the users to reboot.
Simon.
You can select them in bulk and choose Install. It will take a while to tag them all, so leave it to get one with it.
With the correct group policy settings, the updates can install automatically no matter who is logged in. If it is a normal user they will get nagged at intervals. I usually set this to every 45 minutes, although if I need the update to be applied immediately I have set it to every 5 minutes and slowly turn it down to every minute - usually with associates email messages telling the users to reboot.
Simon.
ASKER
Will WSUS do Office updates too?
Thanks
Thanks
It will. It does Office 2002 and Office 2003. It has just done some updates overnight for Excel.
Simon.
Simon.
ASKER
Ok, there were some updates that were done and when I went into the WSUS admin screen some said a reboot is required. (I thought the PC's rebooted automatically after the updates were done?)
These systems are Windows 2000 Professional
Thanks
These systems are Windows 2000 Professional
Thanks
The WSUS admin information is not live. It is the status when the machine last called in.
Therefore if was waiting to be rebooted last time the machine called in, that is what is would be recorded.
You can force the machine to call home with the latest update information by dropping in to a command prompt and typing
wuauclt /detectnow
You could also cut down the time between detections in the group policy. The default is 22 hours. I usually run between 3 and 6 hours.
Simon.
Therefore if was waiting to be rebooted last time the machine called in, that is what is would be recorded.
You can force the machine to call home with the latest update information by dropping in to a command prompt and typing
wuauclt /detectnow
You could also cut down the time between detections in the group policy. The default is 22 hours. I usually run between 3 and 6 hours.
Simon.
http://www.wsuswiki.com/