Solved

Configuring SBS2011 Updates via Console and WSUS for Laptops

Posted on 2013-05-24
5
786 Views
Last Modified: 2013-05-28
I have an SBS2011 server that is managing updates through WSUS for the desktops on the network but I have recently added a laptop that is away from the network for long periods even though it is joined to the domain so I want to ensure that it gets its updates correctly. I have currently added it to excluded computers in the SBS Console and WSUS is reporting that there are updates for it that require approval.
How does the SBS2011 console and WSUS handle a computer that is not in regular contact with the server? By adding it to excluded computers will it use update settings locally and go to Windows Update to update itself?
How do I configure this so that the machine stays up to date and WSUS reports correctly?
0
Comment
Question by:Milkybar-kid
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 35

Expert Comment

by:Cris Hanna
ID: 39196029
Generally it's best if you're going to have laptops that are "off the lan" for long periods of time to not join the domain.   Is the user of the laptop a local admin on the laptop?
0
 
LVL 23

Expert Comment

by:yo_bee
ID: 39196584
Do you have experience with Group Policies?
If so you can build your GPO for WSUS and Non-WSUS computers.
Put those computer into the groups to control which computers can read the GPO.

1: WSUS Computers GPO : settings to point them to your WSUS server.
2: Non-WSUS Computer GPO: Settings to look for and install updates, but do not configure the settings for pointing the client to a WSUS Server.
The settings are Specify intranet Microsoft update service location and Enable client-side targeting

This will at least configure the Update settings on the laptop.


With having the laptop in a disconnected state there is no way that it can report back to WSUS to let you know the status of the machine.
0
 
LVL 1

Author Comment

by:Milkybar-kid
ID: 39196728
Yes I could configure group policy. What I was really trying to understand was the behaviour of computers that have been excluded from updates using the SBS2011 console. I cannot find any documentation anywhere to describe how his works and the fact that WSUS reported updates needed seemed to indicate that the group policy was hanging on to the update settings for the excluded laptop.
I was hoping that moving the laptop to excluded computers meant that it would not look to the WSUS server for it's updates but manage the updates itself using windows update services but that seems to not be the case?
I don't really understand why that facility is even there on the SBS console. Why would you want to exclude a computer from windows updates anyway?
Cris - no the user is not a local admin. There is a local admin on the computer but normal users do not have those rights for the usual security benefits. I hear what you say about taking it off of the domain. Would prefer to keep it domain joined and rework the WSUS settings with Group Policy. Are there any gotchas with that?
0
 
LVL 35

Accepted Solution

by:
Cris Hanna earned 500 total points
ID: 39196776
Move the computer to the Excluded Group via the SBS console is the correct way to do this...it changes the group policy that will be applied to that computer, and so updates can be installed directly from Windows update.

However, in order for the change in applied group policy to take place...the laptop needs to come into the office, logon to the domain as an admin

Then go to an elevated command prompt, and run gpupdate /force
0
 
LVL 1

Author Closing Comment

by:Milkybar-kid
ID: 39200802
Thank you Cris, that was the clarification I was looking for. I take it that when excluded, the windows update settings for the local machine control the scheduling of updates also?
0

Featured Post

Free Backup Tool for VMware and Hyper-V

Restore full virtual machine or individual guest files from 19 common file systems directly from the backup file. Schedule VM backups with PowerShell scripts. Set desired time, lean back and let the script to notify you via email upon completion.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A quick step-by-step overview of installing and configuring Carbonite Server Backup.
I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Suggested Courses

632 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question