Solved

How to force windows updates to be installed into users computer (xp)

Posted on 2010-08-18
26
379 Views
Last Modified: 2012-05-10
Hi

We have Small business Sever 2003 (WSUS running)

and from WSUS pages, i can define which patches to install on users computer

and then I need to go to User's computer or need to tell user's to install those updates

But is not there any way, as soon i will assign which updates need to be installed on users computers and those updates will be installed automatically , without even clicking on the updates icon ???

Thanks for your help
0
Comment
Question by:fosiul01
  • 11
  • 8
  • 5
  • +2
26 Comments
 
LVL 6

Assisted Solution

by:robbe
robbe earned 94 total points
ID: 33462756
You can force the update check by running: wuauclt /Detectnow from a command line.
0
 
LVL 7

Accepted Solution

by:
marektech earned 334 total points
ID: 33462790
Within WSUS you can set the updates to install based on type e.g Critical Updates.

Also set group policy to automatically install the updates on users computers.

How to configure automatic updates by using Group Policy or registry settings:
http://support.microsoft.com/kb/328010
0
 
LVL 6

Expert Comment

by:robbe
ID: 33462800
If you want to change the behavoir of the updates installation you can modify the Client update GPO with the group policy editor.
0
 
LVL 2

Assisted Solution

by:DataBitz
DataBitz earned 25 total points
ID: 33462818
Approving updates in WSUS and using a deadline should achieve this. Give it a go.
Also bear in mind that the WSUS client on the computers only checks into WSUS once every 24 hours at a  random time. So if you approve an update and use a deadline, make sure you allow at least 24 hours for the computers to check into to install the updates.
http://technet.microsoft.com/en-us/library/cc708585%28WS.10%29.aspx
0
 
LVL 29

Author Comment

by:fosiul01
ID: 33463132
@marektech


from WSUS : do i have to select option "Approve for installation"

then use GPO to make it install ??

0
 
LVL 7

Assisted Solution

by:marektech
marektech earned 334 total points
ID: 33463177
In WSUS you can either right click an update and select Approve or you can create automatic approval by going to options and then Automatic Approvals. From there click edit and select which types of updates should be automatic (e.g. critical).

Group policy should be set to install the update automatically for the user, but not restart automatically. GP also is used to tell the computers to check the WSUS server for updates and not windowsupdate itself:

http://technet.microsoft.com/en-us/library/cc720539(WS.10).aspx
0
 
LVL 29

Author Comment

by:fosiul01
ID: 33463198
Ok

Step 1 : from WSUS , 20 Computer in A Group, so i clicked on a updates, and i chose to install that updates for every computer on that Group.

So what will happend now , User will see a Yellow Sign (updates sign) on the computer , and they will have to install that updates, if they dont updates by them self, it will never update in to that computer.

so I dont want to wait for the users to be update it self, i want to install automatically updates ( users like it or not!!)


so i guess this one will have to be done via GPO for SBS 2003 Server.

right ??

what GPO policy will i select in SBS 2003 server to make it install without even asking permission from users ???


 
0
 
LVL 7

Assisted Solution

by:marektech
marektech earned 334 total points
ID: 33463445
Yes that is correct you will use Group Policy.

Within GP go to Computer Configuration / Administrative Templates / Windows Update

Set Configure Windows Updates to Enabled and option which is Auto download and schedule the installation. Pick everyday and a time.

Under Specify Intranet Microsoft Update Service location select Enabled and type the address of your WSUS server. E.g. http://wsus:8530

Set No auto-restart with logged on users for scheduled automatic updates to enabled - you dont want to restart comps while people are working

You can also set the Automatic Updates detection frequency to enabled and set it to whatever you like. e.g. 5 hours

Set Allow automatic updates immediate installation to enabled

Also set allow non-administrators to receive update notification to enabled
0
 
LVL 29

Author Comment

by:fosiul01
ID: 33463502
Thanks , that will do the job!!!

but whats the point of this one ?
"Also set allow non-administrators to receive update notification to enabled"
0
 
LVL 29

Author Comment

by:fosiul01
ID: 33463525
also :

those setting will be for client is  not it ??

i dont want to install updates on Server by itself
0
 
LVL 7

Assisted Solution

by:marektech
marektech earned 334 total points
ID: 33463561
Usually you have to be an admin to run windows updates. That setting allows non admins to see the update notification and update.

You can apply the group policy to any Organisational Unit - just make sure it does not include your servers. I keep my servers in a Server OU and all clients fall in to departmental OUs which I created.
0
 
LVL 29

Author Comment

by:fosiul01
ID: 33463598
hmmm
Ok my knowledge is not that good in Windows, as i am Linux guy!!!

and this server is not configured by me

so how will i know if my servr is in different Ou that all clients fall in diffferenct ou ??

Note : in  WSUS,  only Approve of detection is enabled .
0
 
LVL 6

Expert Comment

by:robbe
ID: 33463634
fosiul01,

You did install SBS right ? Normally it creates seperate GPO's for clients and servers. You just have to move the server under the SBSServers OU in the active directory. Than you can change the Policy for the Update servers to change it to the settings you like
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 7

Assisted Solution

by:marektech
marektech earned 334 total points
ID: 33463639
You would look in Active Directory Sites and Computers.

You could either do it by OU or within WSUS create 2 groups 1 called Servers and one called Clients. (right click All computers and Add Computer Group. Then only allow automatic approval to the clients group.

You will need to go into WSUS and click on Unassigned Computers right click the clients and select change membership and select the Clients group you created. Same with the servers.

That way client are automatically approved and servers needs to be done manually.
0
 
LVL 29

Author Comment

by:fosiul01
ID: 33463641
If i look at WSUs

and then all the updates for SBS server, its set as Detect only. So it should not install at 1 pm , is  not it ??


(note, i set all updates to be installed at 1 pm when users are in launch)


but since SBS server is set as detect only , it should not install without selecting those updates as Install,

right ??




0
 
LVL 6

Assisted Solution

by:robbe
robbe earned 94 total points
ID: 33463645
If you do prefer to do it manually, there are 2 great articles on the microsoft website to do client targetting and to distrute them trough GPO:

http://technet.microsoft.com/en-us/library/cc720433(WS.10).aspx
http://technet.microsoft.com/en-us/library/cc720539(WS.10).aspx
0
 
LVL 29

Author Comment

by:fosiul01
ID: 33463654
yup i just seperate all computers in one group and server in different group


but , is there any way  to set only Server to be installed at 3 am ?? and rest will be installed on 1 pm ??


0
 
LVL 7

Assisted Solution

by:marektech
marektech earned 334 total points
ID: 33463681
You can move the servers in to an OU in AD users and computers which does not include the policy you created. Then you can create a new policy with whatever settings you require.

Would be best to test this stuff out before doing it on your live system.
0
 
LVL 6

Expert Comment

by:robbe
ID: 33463700
marektech is right :)
0
 
LVL 29

Author Comment

by:fosiul01
ID: 33463732
yes, I am not that confident with windows server .....

so bottom line is, what i have done is :


1) from WSUS, i create 2 groups, all the clients in one groups and server in different group
2) from WSUS , I chose Approve for detection only, [ so that it will just detect but will not install]

3) From GPO, i chose
Please check the MS documents
option4, check for updates 5 hourse, install at 1 pm


But it will not install anything on server as, all the updates are  set as

Appoval : detect only
Status : needed

so it should not install on the server , right ??

Please read step 1 to last carefully .. as i am really not confident with windows server


0
 
LVL 29

Author Comment

by:fosiul01
ID: 33463739
I forgot to add GPO

GPO.doc
0
 
LVL 7

Expert Comment

by:marektech
ID: 33463862
It should not install unless you approve it.

I prefer to update servers completely manually and don't apply the same Group Policy as I do to clients. But that depends on your environment and how you have your organisation units designed.

Test it out and see how it goes. :)
0
 
LVL 29

Author Comment

by:fosiul01
ID: 33464050
LOL!!

my server just rebooted and its 1.15...

there was 2 updates i approved accidently , it was security update,

when i went to server it was saying

do you want to reboot, i said later
after 3 minutes, my clients complaining they cant access server and nagios sent me email that its down!!!!

tell me something bellow setting


No  auto-restart for scheduled Automatic Updates installations Enabled

does it means, dont restart, or does it mean, Restart ??


0
 
LVL 7

Assisted Solution

by:marektech
marektech earned 334 total points
ID: 33464426
Under the group policy object you can click on explain for more information.

It says the following:

Specifies that to complete a scheduled installation, Automatic Updates will wait for the computer to be restarted by any user who is logged on, instead of causing the computer to restart automatically.

If the status is set to Enabled, Automatic Updates will not restart a computer automatically during a scheduled installation if a user is logged in to the computer. Instead, Automatic Updates will notify the user to restart the computer.

Be aware that the computer needs to be restarted for the updates to take effect.

If the status is set to Disabled or Not Configured, Automatic Updates will notify the user that the computer will automatically restart in 5 minutes to complete the installation.

Note: This policy applies only when Automatic Updates is configured to perform scheduled installations of updates. If the "Configure Automatic Updates" policy is disabled, this policy has no effect.
0
 
LVL 29

Author Comment

by:fosiul01
ID: 33464476
hahahaha
ok i know what happended

"Automatic Updates will not restart a computer automatically during a scheduled  installation if a user is logged in to the computer. Instead, Automatic Updates  will notify the user to restart the computer.
"


so when i went to server, i clicked on , "Restart later",

then logg off from server.

so there is not any user log on, and its restarted automatically!!!

so i will have to see tomorrow  , what happened at 1 pm
0
 
LVL 47

Assisted Solution

by:Donald Stewart
Donald Stewart earned 47 total points
ID: 33465340
For a great explanation of all the windows update settings, look here
 
http://web.archive.org/web/20080315025611/www.vbshf.com/vbshf/wsus/wsus_faq.htm
 
for WSUS step by step guide with screenshots, look here
 
 http://blogs.microsoft.co.il/blogs/yanivf/archive/2007/09/23/install-wsus-3-0-step-by-step.aspx
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Can I legally transfer my OEM version of Windows to another PC?  (AKA - Can I put a new systemboard in my OEM PC?) Few of us are both IT and legal experts but we all have our own views of Microsoft's licensing rules and how they apply.  There are…
Issue: Unstable cursor in Windows XP and Windows runs extremely slow in that any click will bring up the Hour glass (sometimes for several seconds before giving you what you want) . Troubleshooting Process and the FINAL FIX: This issue see…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now