We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you two Citrix podcasts. Learn about 2020 trends and get answers to your biggest Citrix questions!Listen Now

x

WSUS Group Policy question

Medium Priority
926 Views
Last Modified: 2008-05-30
I have 15 member servers that are updated via group policy from a remote WSUS server. Three of these servers are application servers and have recently had issues due to a Microsoft critical update. I would like to exclude these from receiving updates from WSUS for the moment. What’s the best way? Do I create a new OU move them and change the GP or is there another way? Id prefer to keep them in the same OU as other policies are applied via GP
Comment
Watch Question

Yes,
- I think you have to make a new OU. Make this OU direct under the current OU. This way the servers will inherit the policies of the OU above.
- Move the servers inquestion to this OU
- Make a new GPO policy and link it to the newly created OU.
- Open the newly created GPO and goto the WSUS policies and disable all WSUS settings. This will override all WSUS settings defined in the policy that is linked to
  the above OU.
- Go to WSUS make a new computer group that is based on the newly created OU

Thats it. When you're don testing just move the servers back to the original OU.
CERTIFIED EXPERT
Author of the Year 2011
Top Expert 2006

Commented:
Why not just leave them where they are and change the Windows Update Service from Automatic to Disabled?

Vic

Commented:
If your WSUS sets the group of the Computers automatically by gp you have to do it like rmilliard descript, if not, you can create a new group on the WSUS and put the Server into that group.

Another possibility is to deactivate the update Service on the servers you don't want to update.
Information Services Manager
CERTIFIED EXPERT
Commented:
When you approve updates, you approve them for a group of computers in WSUS.
You need to create another group in WSUS.  Then move all of the servers into that group.  Updates are not approved for the new group therefore servers in that group won't be downloading them.

I created 3 groups in WSUS....Client Workstations, Servers, No Updates.   I actually had to do this, because we have Cisco VOIP servers that are not supposed to get windows updates ever....only Cisco approved updates.

good luck

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
CERTIFIED EXPERT
Author of the Year 2011
Top Expert 2006

Commented:
I must be missing something here.

If you 'DISABLE' the wuauserv service on those 3 servers - the Update Service will not run - unless you have a GPO (applied) to turn on that service.

Why create extra work when all you have to do is turn it off?


Vic
Vic, I thought you were a security man! You do not want to disable the update service on any windows box.


As mentioned above create a new group within WSUS and apply/disable the problematic updates to that group, configure it to not auto install (install post-test). I wouldnt fully disable them as Vic stated, yet if you dont want them recieving any updates (not advised) then proceed as he stated.
CERTIFIED EXPERT
Author of the Year 2011
Top Expert 2006

Commented:
bigjimbo - ya busted me.

The only reason I know about it is that we disable our Exchange 2003 (Exchange Admin does it personally) and a couple of the Servers over on the Finance/Personnel side.

They run some custom-built apps that take special treatment to make sure updates don't break them (I hate those friggin servers).

I do "scan" them for vulnerabilities once a week and bust their humps if they don't have the latest patches.

I resisted putting them in their own little 'special' OU because it is simpler this way (and I don't like them).


Vic
No worries, just bustin your balls.

But NO PRODUCTION server should ever have auto-install. I'm a bit anal when it comes to updates, (99% of my network is Windows..wonder why) But all of my production servers are split up depending on their "job". I also have a seperate WSUS servers for those critical systems, and one for workstations. I break workstations up according to mobile, or dt. While servers are broken up into web, application, database ect.
CERTIFIED EXPERT
Author of the Year 2011
Top Expert 2006

Commented:
Roger, over.
Did I see your name on the CISSP list that came out today?

Regarding servers - you're right.
Our 'Applications' servers all have specific admins assigned as 'Owners'.
They are the 'Go-To' guys (or gals) who are charged with the server maintenance and making sure they pass the scans I do.

Vic
CISSP? Sadly I dont have the time to study for that (finishing undergrad up this semester as well as just started my masters). Did I mention I work full time at my current job, as well as a part-time unpaid internship, and have been taking a full load at school (3 under, 1 graduate). AND...throw a girlfriend and hobbies in there.


Any one have a solution on how to aquire 36 hour days? I can award as many points as needed!

Umm, I wouldn't do anything in AD!  

This can be entirely handled from within the WSUS mgmt interface, and was designed to help admins pick and choose.  Just go to the computers section and click "create a computer group" from the left.  Label it "Application Servers" and it will appear on the lower left.  Then go to the group that currently holds the servers you want to control and highlight them.  Then choose "move the selected computer" from your options on the left.

Now that the servers are in their own group, when you roll out new updates, set the approval for that group to "detect only."

Commented:
You could go to the policy that contains the WSUS settings and add the 3 servers with deny rights. This way they would not get the policy settings until you removed those security changes.

On the 3 server machines then ensure that the updates are set to manual not automatic.

Dirty but simple.
yes I think making changes in WSUS is the best way and not to disturb local policies/ settings on servers
No active directory or group policy changes should be made for this!  See my comment 3 posts up.  This is what you need to do.
CERTIFIED EXPERT
Author of the Year 2011
Top Expert 2006

Commented:
expexchuser,
You're right - you were the first with that comment.
That other "poster" has been running around all over the board this morning repeating other people's suggestions.
Maybe he thinks nobody will notice and he'll sneak a few points that way.

Vic
Ron MalmsteadInformation Services Manager
CERTIFIED EXPERT

Commented:
JUST PUT THE SERVERS IN A DIFFERENT GROUP IN WSUS !   it's really that simple.
Just create a new group and move them.

THEN...you can still track their updates in WSUS, and you don't need to make any changes to group policy or the servers...

The solution is literally like 4 mouse clicks ...
Ron MalmsteadInformation Services Manager
CERTIFIED EXPERT

Commented:
PS:  If you do what I said....the servers will still show in WSUS, but they won't ever get any updates unless you approve them for the group they are in.

trust me....this is the best/easiest solution.
Vic, were you referring to me?
CERTIFIED EXPERT
Author of the Year 2011
Top Expert 2006

Commented:
Hell no!
You actually know what you're talking about.
This was some newbie copying earlier posts (in the same string) and pasting them in his own post.

Vic
CERTIFIED EXPERT
Author of the Year 2011
Top Expert 2006

Commented:
bigjimbo813,
My email address is in my 'Profile' if you want to drop me a note.
Vic
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.