How to force windows updates to be installed into users computer (xp)

Hi

We have Small business Sever 2003 (WSUS running)

and from WSUS pages, i can define which patches to install on users computer

and then I need to go to User's computer or need to tell user's to install those updates

But is not there any way, as soon i will assign which updates need to be installed on users computers and those updates will be installed automatically , without even clicking on the updates icon ???

Thanks for your help
LVL 29
fosiul01Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

robbeCommented:
You can force the update check by running: wuauclt /Detectnow from a command line.
0
marektechCommented:
Within WSUS you can set the updates to install based on type e.g Critical Updates.

Also set group policy to automatically install the updates on users computers.

How to configure automatic updates by using Group Policy or registry settings:
http://support.microsoft.com/kb/328010
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
robbeCommented:
If you want to change the behavoir of the updates installation you can modify the Client update GPO with the group policy editor.
0
Cloud Class® Course: Amazon Web Services - Basic

Are you thinking about creating an Amazon Web Services account for your business? Not sure where to start? In this course you’ll get an overview of the history of AWS and take a tour of their user interface.

DataBitzCommented:
Approving updates in WSUS and using a deadline should achieve this. Give it a go.
Also bear in mind that the WSUS client on the computers only checks into WSUS once every 24 hours at a  random time. So if you approve an update and use a deadline, make sure you allow at least 24 hours for the computers to check into to install the updates.
http://technet.microsoft.com/en-us/library/cc708585%28WS.10%29.aspx
0
fosiul01Author Commented:
@marektech


from WSUS : do i have to select option "Approve for installation"

then use GPO to make it install ??

0
marektechCommented:
In WSUS you can either right click an update and select Approve or you can create automatic approval by going to options and then Automatic Approvals. From there click edit and select which types of updates should be automatic (e.g. critical).

Group policy should be set to install the update automatically for the user, but not restart automatically. GP also is used to tell the computers to check the WSUS server for updates and not windowsupdate itself:

http://technet.microsoft.com/en-us/library/cc720539(WS.10).aspx
0
fosiul01Author Commented:
Ok

Step 1 : from WSUS , 20 Computer in A Group, so i clicked on a updates, and i chose to install that updates for every computer on that Group.

So what will happend now , User will see a Yellow Sign (updates sign) on the computer , and they will have to install that updates, if they dont updates by them self, it will never update in to that computer.

so I dont want to wait for the users to be update it self, i want to install automatically updates ( users like it or not!!)


so i guess this one will have to be done via GPO for SBS 2003 Server.

right ??

what GPO policy will i select in SBS 2003 server to make it install without even asking permission from users ???


 
0
marektechCommented:
Yes that is correct you will use Group Policy.

Within GP go to Computer Configuration / Administrative Templates / Windows Update

Set Configure Windows Updates to Enabled and option which is Auto download and schedule the installation. Pick everyday and a time.

Under Specify Intranet Microsoft Update Service location select Enabled and type the address of your WSUS server. E.g. http://wsus:8530

Set No auto-restart with logged on users for scheduled automatic updates to enabled - you dont want to restart comps while people are working

You can also set the Automatic Updates detection frequency to enabled and set it to whatever you like. e.g. 5 hours

Set Allow automatic updates immediate installation to enabled

Also set allow non-administrators to receive update notification to enabled
0
fosiul01Author Commented:
Thanks , that will do the job!!!

but whats the point of this one ?
"Also set allow non-administrators to receive update notification to enabled"
0
fosiul01Author Commented:
also :

those setting will be for client is  not it ??

i dont want to install updates on Server by itself
0
marektechCommented:
Usually you have to be an admin to run windows updates. That setting allows non admins to see the update notification and update.

You can apply the group policy to any Organisational Unit - just make sure it does not include your servers. I keep my servers in a Server OU and all clients fall in to departmental OUs which I created.
0
fosiul01Author Commented:
hmmm
Ok my knowledge is not that good in Windows, as i am Linux guy!!!

and this server is not configured by me

so how will i know if my servr is in different Ou that all clients fall in diffferenct ou ??

Note : in  WSUS,  only Approve of detection is enabled .
0
robbeCommented:
fosiul01,

You did install SBS right ? Normally it creates seperate GPO's for clients and servers. You just have to move the server under the SBSServers OU in the active directory. Than you can change the Policy for the Update servers to change it to the settings you like
0
marektechCommented:
You would look in Active Directory Sites and Computers.

You could either do it by OU or within WSUS create 2 groups 1 called Servers and one called Clients. (right click All computers and Add Computer Group. Then only allow automatic approval to the clients group.

You will need to go into WSUS and click on Unassigned Computers right click the clients and select change membership and select the Clients group you created. Same with the servers.

That way client are automatically approved and servers needs to be done manually.
0
fosiul01Author Commented:
If i look at WSUs

and then all the updates for SBS server, its set as Detect only. So it should not install at 1 pm , is  not it ??


(note, i set all updates to be installed at 1 pm when users are in launch)


but since SBS server is set as detect only , it should not install without selecting those updates as Install,

right ??




0
robbeCommented:
If you do prefer to do it manually, there are 2 great articles on the microsoft website to do client targetting and to distrute them trough GPO:

http://technet.microsoft.com/en-us/library/cc720433(WS.10).aspx
http://technet.microsoft.com/en-us/library/cc720539(WS.10).aspx
0
fosiul01Author Commented:
yup i just seperate all computers in one group and server in different group


but , is there any way  to set only Server to be installed at 3 am ?? and rest will be installed on 1 pm ??


0
marektechCommented:
You can move the servers in to an OU in AD users and computers which does not include the policy you created. Then you can create a new policy with whatever settings you require.

Would be best to test this stuff out before doing it on your live system.
0
robbeCommented:
marektech is right :)
0
fosiul01Author Commented:
yes, I am not that confident with windows server .....

so bottom line is, what i have done is :


1) from WSUS, i create 2 groups, all the clients in one groups and server in different group
2) from WSUS , I chose Approve for detection only, [ so that it will just detect but will not install]

3) From GPO, i chose
Please check the MS documents
option4, check for updates 5 hourse, install at 1 pm


But it will not install anything on server as, all the updates are  set as

Appoval : detect only
Status : needed

so it should not install on the server , right ??

Please read step 1 to last carefully .. as i am really not confident with windows server


0
fosiul01Author Commented:
I forgot to add GPO

GPO.doc
0
marektechCommented:
It should not install unless you approve it.

I prefer to update servers completely manually and don't apply the same Group Policy as I do to clients. But that depends on your environment and how you have your organisation units designed.

Test it out and see how it goes. :)
0
fosiul01Author Commented:
LOL!!

my server just rebooted and its 1.15...

there was 2 updates i approved accidently , it was security update,

when i went to server it was saying

do you want to reboot, i said later
after 3 minutes, my clients complaining they cant access server and nagios sent me email that its down!!!!

tell me something bellow setting


No  auto-restart for scheduled Automatic Updates installations Enabled

does it means, dont restart, or does it mean, Restart ??


0
marektechCommented:
Under the group policy object you can click on explain for more information.

It says the following:

Specifies that to complete a scheduled installation, Automatic Updates will wait for the computer to be restarted by any user who is logged on, instead of causing the computer to restart automatically.

If the status is set to Enabled, Automatic Updates will not restart a computer automatically during a scheduled installation if a user is logged in to the computer. Instead, Automatic Updates will notify the user to restart the computer.

Be aware that the computer needs to be restarted for the updates to take effect.

If the status is set to Disabled or Not Configured, Automatic Updates will notify the user that the computer will automatically restart in 5 minutes to complete the installation.

Note: This policy applies only when Automatic Updates is configured to perform scheduled installations of updates. If the "Configure Automatic Updates" policy is disabled, this policy has no effect.
0
fosiul01Author Commented:
hahahaha
ok i know what happended

"Automatic Updates will not restart a computer automatically during a scheduled  installation if a user is logged in to the computer. Instead, Automatic Updates  will notify the user to restart the computer.
"


so when i went to server, i clicked on , "Restart later",

then logg off from server.

so there is not any user log on, and its restarted automatically!!!

so i will have to see tomorrow  , what happened at 1 pm
0
DonNetwork AdministratorCommented:
For a great explanation of all the windows update settings, look here
 
http://web.archive.org/web/20080315025611/www.vbshf.com/vbshf/wsus/wsus_faq.htm
 
for WSUS step by step guide with screenshots, look here
 
 http://blogs.microsoft.co.il/blogs/yanivf/archive/2007/09/23/install-wsus-3-0-step-by-step.aspx
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows XP

From novice to tech pro — start learning today.