Link to home
Start Free TrialLog in
Avatar of boomerbostock
boomerbostock

asked on

WSUS Group Policy question

I have 15 member servers that are updated via group policy from a remote WSUS server. Three of these servers are application servers and have recently had issues due to a Microsoft critical update. I would like to exclude these from receiving updates from WSUS for the moment. What’s the best way? Do I create a new OU move them and change the GP or is there another way? Id prefer to keep them in the same OU as other policies are applied via GP
Avatar of rmilliard
rmilliard

Yes,
- I think you have to make a new OU. Make this OU direct under the current OU. This way the servers will inherit the policies of the OU above.
- Move the servers inquestion to this OU
- Make a new GPO policy and link it to the newly created OU.
- Open the newly created GPO and goto the WSUS policies and disable all WSUS settings. This will override all WSUS settings defined in the policy that is linked to
  the above OU.
- Go to WSUS make a new computer group that is based on the newly created OU

Thats it. When you're don testing just move the servers back to the original OU.
Avatar of younghv
Why not just leave them where they are and change the Windows Update Service from Automatic to Disabled?

Vic
If your WSUS sets the group of the Computers automatically by gp you have to do it like rmilliard descript, if not, you can create a new group on the WSUS and put the Server into that group.

Another possibility is to deactivate the update Service on the servers you don't want to update.
ASKER CERTIFIED SOLUTION
Avatar of Ron Malmstead
Ron Malmstead
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
I must be missing something here.

If you 'DISABLE' the wuauserv service on those 3 servers - the Update Service will not run - unless you have a GPO (applied) to turn on that service.

Why create extra work when all you have to do is turn it off?


Vic
Vic, I thought you were a security man! You do not want to disable the update service on any windows box.


As mentioned above create a new group within WSUS and apply/disable the problematic updates to that group, configure it to not auto install (install post-test). I wouldnt fully disable them as Vic stated, yet if you dont want them recieving any updates (not advised) then proceed as he stated.
bigjimbo - ya busted me.

The only reason I know about it is that we disable our Exchange 2003 (Exchange Admin does it personally) and a couple of the Servers over on the Finance/Personnel side.

They run some custom-built apps that take special treatment to make sure updates don't break them (I hate those friggin servers).

I do "scan" them for vulnerabilities once a week and bust their humps if they don't have the latest patches.

I resisted putting them in their own little 'special' OU because it is simpler this way (and I don't like them).


Vic
No worries, just bustin your balls.

But NO PRODUCTION server should ever have auto-install. I'm a bit anal when it comes to updates, (99% of my network is Windows..wonder why) But all of my production servers are split up depending on their "job". I also have a seperate WSUS servers for those critical systems, and one for workstations. I break workstations up according to mobile, or dt. While servers are broken up into web, application, database ect.
Roger, over.
Did I see your name on the CISSP list that came out today?

Regarding servers - you're right.
Our 'Applications' servers all have specific admins assigned as 'Owners'.
They are the 'Go-To' guys (or gals) who are charged with the server maintenance and making sure they pass the scans I do.

Vic
CISSP? Sadly I dont have the time to study for that (finishing undergrad up this semester as well as just started my masters). Did I mention I work full time at my current job, as well as a part-time unpaid internship, and have been taking a full load at school (3 under, 1 graduate). AND...throw a girlfriend and hobbies in there.


Any one have a solution on how to aquire 36 hour days? I can award as many points as needed!

Umm, I wouldn't do anything in AD!  

This can be entirely handled from within the WSUS mgmt interface, and was designed to help admins pick and choose.  Just go to the computers section and click "create a computer group" from the left.  Label it "Application Servers" and it will appear on the lower left.  Then go to the group that currently holds the servers you want to control and highlight them.  Then choose "move the selected computer" from your options on the left.

Now that the servers are in their own group, when you roll out new updates, set the approval for that group to "detect only."
You could go to the policy that contains the WSUS settings and add the 3 servers with deny rights. This way they would not get the policy settings until you removed those security changes.

On the 3 server machines then ensure that the updates are set to manual not automatic.

Dirty but simple.
yes I think making changes in WSUS is the best way and not to disturb local policies/ settings on servers
No active directory or group policy changes should be made for this!  See my comment 3 posts up.  This is what you need to do.
expexchuser,
You're right - you were the first with that comment.
That other "poster" has been running around all over the board this morning repeating other people's suggestions.
Maybe he thinks nobody will notice and he'll sneak a few points that way.

Vic
JUST PUT THE SERVERS IN A DIFFERENT GROUP IN WSUS !   it's really that simple.
Just create a new group and move them.

THEN...you can still track their updates in WSUS, and you don't need to make any changes to group policy or the servers...

The solution is literally like 4 mouse clicks ...
PS:  If you do what I said....the servers will still show in WSUS, but they won't ever get any updates unless you approve them for the group they are in.

trust me....this is the best/easiest solution.
Vic, were you referring to me?
Hell no!
You actually know what you're talking about.
This was some newbie copying earlier posts (in the same string) and pasting them in his own post.

Vic
bigjimbo813,
My email address is in my 'Profile' if you want to drop me a note.
Vic