Solved

WSUS Help!

Posted on 2012-04-03
11
1,099 Views
Last Modified: 2013-12-02
We've recently installed WSUS on our SBS 2011 for our small network of about 50 computers. I've been having some simple problems, and I'm hoping someone here might be able to help me out here.

Okay so after configuring the group policy settings some of our users "specifically people with domain admin privileges had all had IE 9 install last night. Usually the Update settings are grayed out and states it's controlled via the network, for some reason people with Domain admin privileges are still able to manually install the updates. I want to control all the updates through the server regardless of groups from the SBS 2011. The normal Domain user clients work just fine.

Second question is why did IE 9 install for all of them? We're all using 8, I specifically declined IE 9 on the server, but it still shows up to install manually for the admins on their desktop computers. For some reason it all installed this morning even though it's suppose to install at 2:00 AM at night. So that must mean they are not even connected to the update server?

I have attached all the screenshots I think that can help you, if you need any more details or screenshots, please let me know. This is causing some big issues on our network!

I decline IE 9 On the server

Decline
But yet on my laptop its showing up still (I do have domain admin privileges.)

Decline 2
Below are the GP settings

Client GP settings
Common GP Settings
Server GP Settings
0
Comment
Question by:Pancake_Effect
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
  • 2
  • +1
11 Comments
 
LVL 47

Assisted Solution

by:Donald Stewart
Donald Stewart earned 249 total points
ID: 37801539
You need to use the "Toolkit to Disable Automatic Delivery of Internet Explorer 9"

http://www.microsoft.com/download/en/details.aspx?id=179
0
 
LVL 4

Author Comment

by:Pancake_Effect
ID: 37801569
Thanks! I will look into that.

I just logged into one of the regular domain user's account as a test. I  noticed the normal clients are now able to see their updates and manually install them. I don't believe it's always been like that. Did I mess something up where they are not connecting to the server?
0
 
LVL 4

Author Comment

by:Pancake_Effect
ID: 37801621
Domain Admins
Domain User
0
Resolve Critical IT Incidents Fast

If your data, services or processes become compromised, your organization can suffer damage in just minutes and how fast you communicate during a major IT incident is everything. Learn how to immediately identify incidents & best practices to resolve them quickly and effectively.

 
LVL 47

Assisted Solution

by:Donald Stewart
Donald Stewart earned 249 total points
ID: 37801625
The setting "Allow non-administrators to receive update notifications" <<disabled

means that *only* administrators can install updates.

I prefer that this gets enabled so that when users(Normal) dont logoff, updates will still notify the user(nag)

good explanation of settings here

http://community.spiceworks.com/how_to/show/1390


and


Managing the WSUS Automatic Updates Client Download, Install, and Reboot Behavior with Group Policy

http://technet.microsoft.com/en-us/library/cc512630.aspx
0
 
LVL 4

Author Comment

by:Pancake_Effect
ID: 37801643
*Edit - Just posted right after you, I'll take a a look at those

Say dstewartjr I also looked at the description of the link you sent me and it states the following:

Organizations do not need to deploy the Blocker Toolkit in environments managed with an update management solution such as Windows Server Update Services or Systems Management Server 2003. Organizations can use those products to fully manage deployment of updates released through Windows Update and Microsoft Update, including Internet Explorer 9, within their environment.

=============

So that means I should be able to do it via WSUS, but the decline isn't working for it. Odd...
0
 
LVL 31

Assisted Solution

by:Justin Owens
Justin Owens earned 167 total points
ID: 37801681
One thing I would check is to make sure you are declining in the proper group in WSUS... Additionally, check your GPO on a client machine as a non-admin with RSOP to make sure you don't accidentally have conflicting policies.

DrUltima
0
 
LVL 4

Author Comment

by:Pancake_Effect
ID: 37801693
Okay I believe it's all set up correctly based on comparing them, that second link is quite insightful.

So I guess there's no way to get rid of the notifications FOR administrators. Looks like it's only for non-admin users.

So I guess the only real problem I have left still, is why is IE 9 showing up on the list to install for our client comptuers. Because as stated above apparently I don't need to install that rootkit for domain enviroments, and can be controlled via the WSUS server.

But even though declined the update, it still shows up on the client comptuers:

IE 9 Still Shows Even though it's declined
This is problematic, because (I work for a small healthcare facility) the radiology department software requires IE 8 and will not work with IE 9 at all. But it keeps installing it, and I have to uninstall it.
0
 
LVL 31

Assisted Solution

by:Justin Owens
Justin Owens earned 167 total points
ID: 37801708
OOC, did you deny ALL of the IE9 installation variations (32 bit, 64 bit, Vista, etc.) for the container which hosts your client workstations?
0
 
LVL 47

Assisted Solution

by:Donald Stewart
Donald Stewart earned 249 total points
ID: 37801810
Take that back :)

http://support.microsoft.com/kb/946202

would be the same for ie9
0
 
LVL 17

Accepted Solution

by:
Tony Massa earned 84 total points
ID: 37801946
You should also disable access to Windows updates for your clients.  If you want to prevent them from accessing Windows Update and installing, you should enable the "Remove Links and access to Windows Update" under "User Configuration/Administrative Templates/Start Menu and Taskbar"
0
 
LVL 4

Author Closing Comment

by:Pancake_Effect
ID: 37802251
Thanks for the help everyone! I have it solved from the combination of your answers.

First off to solve the issue with IE9 still showing up, I downloaded the rootkit from dstewartjr's link ( http://www.microsoft.com/download/en/details.aspx?id=179 ) and instead of running it locally, it also came with a extra ADM file that I used to tell the network to hide the update for IE9. Worked like a charm.

As far as my other problem with users being able to still see the updates etc. tmassa99's solution of hiding the links via group policy also worked great.

Again thanks for the help everyone for the solutions and the provided information!
0

Featured Post

Resolve Critical IT Incidents Fast

If your data, services or processes become compromised, your organization can suffer damage in just minutes and how fast you communicate during a major IT incident is everything. Learn how to immediately identify incidents & best practices to resolve them quickly and effectively.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Because virtualization becomes more and more common, and, with Microsoft Hyper-V included in Windows Server at no additional costs, and, most server hardware nowadays is more than capable of running a physical Small Business Server (SBS) 2008 or 201…
I’m often asked about newer and larger USB drives connected to SBS2008 and 2011 failing Windows Server Backup vs the older USB drives not failing. As disk space continues to grow and drive technology change SBS2008 and some SBS2011 end up with the f…
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question