WSUS - Deployment strategy help

Posted on 2010-08-24
Medium Priority
Last Modified: 2012-05-10

     We have a single 2K3, native, AD domain. We, now, have about 1100 PCs across the state at 70 facilities. The OU structure is simple; That is most of the workstations are in a single OU. The rest are child OUs off the main [ with various GPOs assigned to them]...here is a crude visual:

- Workstations
              - OU1
              - OU2
              - OU3
              - OU4
              - OU5
              - OU6
              - OU7
              - WSUS Filtered OUT.
              - WSUS Test OU <--- Will be used as a test OU for special applications in OUs 1-7.
              - WSUS Staging OU <--- being used to bring systems up-to-date ... but will be deleted once we are in production.

 Ultimately the PCs are used for CD/DVD RW access or some sort of special application where a TC is simply not suited. We have already identified the the applications that cannot accept updates and created an OU that will service filtering out the WSUS GPO. In addition, we have also developed a strategy to deploy the updates following application testing with the PCs in the aforementioned OUs. I will comment on that shortly.

At this time we are, relatively, up to a current update base with the PCs. All are up to XP SP 3 and most are in a WSUS staging OU receiving updates weekly. [Our current staging and planned WSUS GPO will be for Critical and Security updates ONLY. SPs will be deployed only after extensive evaluations]

Okay. Those things said, what I am looking for is guidence/confirmation/any information towards the following stratigic requirements:

1) We must have a written test plan in place to test the applications in the OUs that have been created/configured to accomodate said applications.
     * For the most part I can hammer this out. Insight would be appreciated though.

2) We must have a 2 week Lag between the Auto-Apporvals for the WSUS Test environment/OUs and the Production Environment/OUs.
     * This is where I am having some difficulty. That is, this is going to end up being a manual approval for the latter while approval for the former will remain Automatic, ,.... Correct?

3) An additional OU must be created so the WSUS Production Policy can be filtered out.
     * Like it or not...I work for an organization where any updates following XP SP 2 will simply cripple the application hosted on the system.

Any help is appreciated.

If you need further information I am happy to give it. Just let me know.

Thank you,

Question by:Naerwen
  • 3
  • 2
  • 2
  • +1

Expert Comment

ID: 33510699
I agree to your ideas
You must create the same OU structure in WSUS console and release the patches OU wise

Author Comment

ID: 33511084
     I figured as much as you can see. I guess my main concern is that there is no way to automate the approvals for a two week delay. That is, I will have to mannually approve the updates for the Production network once we've tested the PCs and their associated applications in our test environment, correct?
LVL 12

Accepted Solution

Rant32 earned 1000 total points
ID: 33511363
I would like to add that most of the WSUS administration tasks can be automated in .NET, with the library Microsoft.UpdateServices.Administration.dll

The DLL is documented in http://msdn.microsoft.com/en-us/library/microsoft.updateservices.administration%28VS.85%29.aspx

I'm not a very skilled C# programmer, but I imagine that it's fairly trivial to retrieve the updates approved for your Test OU and approving them for the Production OU.

The IUpdate.GetUpdateApprovals method has an overloaded version that allows to select Update Approvals in a specific time range:

Can't directly help with any code, but may this will give you some ideas.
Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

LVL 12

Expert Comment

ID: 33511413
Just thought of this:

Do you have the ability to assign computers using GPO (client side targeting)?

The combination of GPO and WMI filters is very powerful. You could detect a piece of installed software using WMI (registry query) and effectuate a different GPO (different computer group) based on the installed software.

Your deployment seems large enough to warrant an investigation into this.

Assisted Solution

by:Rick Johnson
Rick Johnson earned 1000 total points
ID: 33536049
You can approve the patches to the group you want (matching the OU structure) and then right click on the patch and set a deadline for 2 weeks, 1 week, whatever. You would then make sure that Group Policy was set up NOT to automatically patch machines, letting the deadline pass and thereby forcing it to happen.

It's a bit manual but it does work.

Author Comment

ID: 33542746
- Rant32, still looking into those links.
- niwqk, Curious. Setting the deadline simply means "install before this date", correct?

Expert Comment

by:Rick Johnson
ID: 33545249
That is correct...however, if you have it set up within Group Policy to simply download the patches but not automatically install them, this could work. Of course, it would take some training to NOT install the patches when the machine comes up with the notification.  :-)

Author Closing Comment

ID: 33579792
Both experts gave good advise. Though I should not that rant32's C#/.NET solution will be our likely course of action... as Deadlining an update does not offer the level of control needed for our environment.

Featured Post

 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A quick step-by-step overview of installing and configuring Carbonite Server Backup.
Learn about cloud computing and its benefits for small business owners.
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question