[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 259
  • Last Modified:

Windows server update service and workstations

I'm wondering how one configures workstations for the Windows update service when the windows update service is located on the local aera network?

I.e. I'm using wsus to download the patches, and want to configure certain workstations to have the updates downloaded from the wsus server.

Do I have to go to each workstation and make a change or is there a global policy that can be done. (I only want workstations updated, not the servers as I want to do the servers manually)

Thanks
0
john_s99
Asked:
john_s99
  • 7
  • 6
  • 4
2 Solutions
 
Netman66Commented:
You can create a new OU and move all the computers into it that you want to use your WSUS server (this assumes you haven't done this already).
Create a new GPO linked to this OU.
Set these settings in the GPO:

Computer Config>Admin Templates>Windows Components>Windows Update ::

> Specify intranet Microsoft update service location
> Configure Automatic updates


These are the 2 important ones.  The rest of the elements in Windows Update are to fine tune things.

0
 
Netman66Commented:
Anything else you might want to know can be found here (great reference):

http://www.wsuswiki.com/

0
 
SembeeCommented:
The way that I do it is to have three group policy settings covering two OUs.

The first GP template is the base. This specifies the intranet location, detection time etc.
The second GP template is for the workstations. This sets the behaviour of automatic updates and includes a tag to sort them in to the correct group.
The third GP template is for the servers. This is linked to the domain controllers OU and a separate OU for the member servers. You have to be really careful with moving the servers around in the domain. You don't move the domain controllers unless you are really sure as that can screw things up. Similarly Exchange servers can get upset if things are moved around wrongly.

On the WSUS server, create two groups, one called Servers, one called Workstations. Set the WSUS to use group policy for sorting the machines.

What that means is you can set the workstations to install, the server to detect. Or a mix, or set the workstations to force installation, with the servers download and prompt - or a combination. You have control over what is happening, what the machines need and how it is installed, while still having the advantages of a local download point.

Simon.
0
[Webinar] Kill tickets & tabs using PowerShell

Are you tired of cycling through the same browser tabs everyday to close the same repetitive tickets? In this webinar JumpCloud will show how you can leverage RESTful APIs to build your own PowerShell modules to kill tickets & tabs using the PowerShell command Invoke-RestMethod.

 
john_s99Author Commented:

  Is there a way to force the computers to reboot after an update is done. (i.e. have the systems reboot at 3am after the update when no one is using them?)

Thanks
0
 
SembeeCommented:
The group policy does that.

Simon.
0
 
john_s99Author Commented:
But where in GPO, as I didn't see where to set the time for reboot...
0
 
SembeeCommented:
You don't set the time for the reboot, but the time for the installation. So you would set the machines to install at 3am and then reboot.

There is a setting "No Auto Restart for scheduled Automatic Update Installations". If you disable that, then the machine will restart automatically 5 minutes after the installation is complete.

Simon.
0
 
john_s99Author Commented:
What is strange now, is I setup the auto update at 3am but there is no status report for that time.

The only time the last status was is when I logged in as administrator and not as the user.

The updates were flagged as detect only and not install, so I changed the updates to install.

But what rights does the user need to install the updates? (power user, standard user, administrator?)

Thanks
0
 
Netman66Commented:
The user doesn't need any further rights.  At 3am, the updates will install and the computer will reboot - but only if the user is logged off.

A normal user will not see any update shield in the tray and should not be aware of anything that happens.

0
 
SembeeCommented:
There is a setting to allow a non-administrator to install updates. If you don't enable that, then they will not see anything.

Simon.
0
 
Netman66Commented:
The danger to enabling this is that if they don't choose to do the update via the shield it doesn't happen.

I would leave the default behiour as it is.

0
 
john_s99Author Commented:
So if a user is logged in, the updates will happen but the system won't reboot?

Also on the wsus admin page on the server, it says detect only... Do I have to change every update from detect to install? (as there are over 600+ that say detect only)

Thanks
0
 
SembeeCommented:
You need to change them to install to install.
You can select them in bulk and choose Install. It will take a while to tag them all, so leave it to get one with it.

With the correct group policy settings, the updates can install automatically no matter who is logged in. If it is a normal user they will get nagged at intervals. I usually set this to every 45 minutes, although if I need the update to be applied immediately I have set it to every 5 minutes and slowly turn it down to every minute - usually with associates email messages telling the users to reboot.

Simon.
0
 
john_s99Author Commented:
Will WSUS do Office updates too?

Thanks
0
 
SembeeCommented:
It will. It does Office 2002 and Office 2003. It has just done some updates overnight for Excel.

Simon.
0
 
john_s99Author Commented:
Ok, there were some updates that were done and when I went into the WSUS admin screen some said a reboot is required. (I thought the PC's rebooted automatically after the updates were done?)

These systems are Windows 2000 Professional

Thanks
0
 
SembeeCommented:
The WSUS admin information is not live. It is the status when the machine last called in.
Therefore if was waiting to be rebooted last time the machine called in, that is what is would be recorded.

You can force the machine to call home with the latest update information by dropping in to a command prompt and typing

wuauclt /detectnow

You could also cut down the time between detections in the group policy. The default is 22 hours. I usually run between 3 and 6 hours.

Simon.
0

Featured Post

Learn to develop an Android App

Want to increase your earning potential in 2018? Pad your resume with app building experience. Learn how with this hands-on course.

  • 7
  • 6
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now