Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


WSUS - Deployment strategy help

Posted on 2010-08-24
Medium Priority
Last Modified: 2012-05-10

     We have a single 2K3, native, AD domain. We, now, have about 1100 PCs across the state at 70 facilities. The OU structure is simple; That is most of the workstations are in a single OU. The rest are child OUs off the main [ with various GPOs assigned to them]...here is a crude visual:

- Workstations
              - OU1
              - OU2
              - OU3
              - OU4
              - OU5
              - OU6
              - OU7
              - WSUS Filtered OUT.
              - WSUS Test OU <--- Will be used as a test OU for special applications in OUs 1-7.
              - WSUS Staging OU <--- being used to bring systems up-to-date ... but will be deleted once we are in production.

 Ultimately the PCs are used for CD/DVD RW access or some sort of special application where a TC is simply not suited. We have already identified the the applications that cannot accept updates and created an OU that will service filtering out the WSUS GPO. In addition, we have also developed a strategy to deploy the updates following application testing with the PCs in the aforementioned OUs. I will comment on that shortly.

At this time we are, relatively, up to a current update base with the PCs. All are up to XP SP 3 and most are in a WSUS staging OU receiving updates weekly. [Our current staging and planned WSUS GPO will be for Critical and Security updates ONLY. SPs will be deployed only after extensive evaluations]

Okay. Those things said, what I am looking for is guidence/confirmation/any information towards the following stratigic requirements:

1) We must have a written test plan in place to test the applications in the OUs that have been created/configured to accomodate said applications.
     * For the most part I can hammer this out. Insight would be appreciated though.

2) We must have a 2 week Lag between the Auto-Apporvals for the WSUS Test environment/OUs and the Production Environment/OUs.
     * This is where I am having some difficulty. That is, this is going to end up being a manual approval for the latter while approval for the former will remain Automatic, ,.... Correct?

3) An additional OU must be created so the WSUS Production Policy can be filtered out.
     * Like it or not...I work for an organization where any updates following XP SP 2 will simply cripple the application hosted on the system.

Any help is appreciated.

If you need further information I am happy to give it. Just let me know.

Thank you,

Question by:Naerwen
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +1

Expert Comment

ID: 33510699
I agree to your ideas
You must create the same OU structure in WSUS console and release the patches OU wise

Author Comment

ID: 33511084
     I figured as much as you can see. I guess my main concern is that there is no way to automate the approvals for a two week delay. That is, I will have to mannually approve the updates for the Production network once we've tested the PCs and their associated applications in our test environment, correct?
LVL 12

Accepted Solution

Rant32 earned 1000 total points
ID: 33511363
I would like to add that most of the WSUS administration tasks can be automated in .NET, with the library Microsoft.UpdateServices.Administration.dll

The DLL is documented in http://msdn.microsoft.com/en-us/library/microsoft.updateservices.administration%28VS.85%29.aspx

I'm not a very skilled C# programmer, but I imagine that it's fairly trivial to retrieve the updates approved for your Test OU and approving them for the Production OU.

The IUpdate.GetUpdateApprovals method has an overloaded version that allows to select Update Approvals in a specific time range:

Can't directly help with any code, but may this will give you some ideas.
Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

LVL 12

Expert Comment

ID: 33511413
Just thought of this:

Do you have the ability to assign computers using GPO (client side targeting)?

The combination of GPO and WMI filters is very powerful. You could detect a piece of installed software using WMI (registry query) and effectuate a different GPO (different computer group) based on the installed software.

Your deployment seems large enough to warrant an investigation into this.

Assisted Solution

by:Rick Johnson
Rick Johnson earned 1000 total points
ID: 33536049
You can approve the patches to the group you want (matching the OU structure) and then right click on the patch and set a deadline for 2 weeks, 1 week, whatever. You would then make sure that Group Policy was set up NOT to automatically patch machines, letting the deadline pass and thereby forcing it to happen.

It's a bit manual but it does work.

Author Comment

ID: 33542746
- Rant32, still looking into those links.
- niwqk, Curious. Setting the deadline simply means "install before this date", correct?

Expert Comment

by:Rick Johnson
ID: 33545249
That is correct...however, if you have it set up within Group Policy to simply download the patches but not automatically install them, this could work. Of course, it would take some training to NOT install the patches when the machine comes up with the notification.  :-)

Author Closing Comment

ID: 33579792
Both experts gave good advise. Though I should not that rant32's C#/.NET solution will be our likely course of action... as Deadlining an update does not offer the level of control needed for our environment.

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Microsoft has released remote PowerShell capabilities to all commercial Office 365 customers. So you can be controlled via PowerShell and not from the Office 365 admin center Download Windows PowerShell Module for Lync Online http://www.micros…
Citrix XenApp, Internet Explorer 11 set to Enterprise Mode and using central hosted sites.xml file.
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question