Solved

Configuring SBS2011 Updates via Console and WSUS for Laptops

Posted on 2013-05-24
5
744 Views
Last Modified: 2013-05-28
I have an SBS2011 server that is managing updates through WSUS for the desktops on the network but I have recently added a laptop that is away from the network for long periods even though it is joined to the domain so I want to ensure that it gets its updates correctly. I have currently added it to excluded computers in the SBS Console and WSUS is reporting that there are updates for it that require approval.
How does the SBS2011 console and WSUS handle a computer that is not in regular contact with the server? By adding it to excluded computers will it use update settings locally and go to Windows Update to update itself?
How do I configure this so that the machine stays up to date and WSUS reports correctly?
0
Comment
Question by:Milkybar-kid
  • 2
  • 2
5 Comments
 
LVL 35

Expert Comment

by:Cris Hanna
ID: 39196029
Generally it's best if you're going to have laptops that are "off the lan" for long periods of time to not join the domain.   Is the user of the laptop a local admin on the laptop?
0
 
LVL 21

Expert Comment

by:yo_bee
ID: 39196584
Do you have experience with Group Policies?
If so you can build your GPO for WSUS and Non-WSUS computers.
Put those computer into the groups to control which computers can read the GPO.

1: WSUS Computers GPO : settings to point them to your WSUS server.
2: Non-WSUS Computer GPO: Settings to look for and install updates, but do not configure the settings for pointing the client to a WSUS Server.
The settings are Specify intranet Microsoft update service location and Enable client-side targeting

This will at least configure the Update settings on the laptop.


With having the laptop in a disconnected state there is no way that it can report back to WSUS to let you know the status of the machine.
0
 
LVL 1

Author Comment

by:Milkybar-kid
ID: 39196728
Yes I could configure group policy. What I was really trying to understand was the behaviour of computers that have been excluded from updates using the SBS2011 console. I cannot find any documentation anywhere to describe how his works and the fact that WSUS reported updates needed seemed to indicate that the group policy was hanging on to the update settings for the excluded laptop.
I was hoping that moving the laptop to excluded computers meant that it would not look to the WSUS server for it's updates but manage the updates itself using windows update services but that seems to not be the case?
I don't really understand why that facility is even there on the SBS console. Why would you want to exclude a computer from windows updates anyway?
Cris - no the user is not a local admin. There is a local admin on the computer but normal users do not have those rights for the usual security benefits. I hear what you say about taking it off of the domain. Would prefer to keep it domain joined and rework the WSUS settings with Group Policy. Are there any gotchas with that?
0
 
LVL 35

Accepted Solution

by:
Cris Hanna earned 500 total points
ID: 39196776
Move the computer to the Excluded Group via the SBS console is the correct way to do this...it changes the group policy that will be applied to that computer, and so updates can be installed directly from Windows update.

However, in order for the change in applied group policy to take place...the laptop needs to come into the office, logon to the domain as an admin

Then go to an elevated command prompt, and run gpupdate /force
0
 
LVL 1

Author Closing Comment

by:Milkybar-kid
ID: 39200802
Thank you Cris, that was the clarification I was looking for. I take it that when excluded, the windows update settings for the local machine control the scheduling of updates also?
0

Featured Post

Integrate social media with email signatures

Is your company active on social media? Do you also use email signatures? Including social media icons in your email signature is a great way to get fans for free. Let all your email users know you’re on social media quickly and easily, in a single click.

Join & Write a Comment

Redirected folders in a windows domain can be quite useful for a number of reasons, one of them being that with redirected application data, you can give users more seamless experience when logging into different workstations.  For example, if a use…
You may have discovered the 'Compatibility View Settings' workaround for making your SBS 2008 Remote Web Workplace 'connect to a computer' section stops 'working around' after a Windows 10 client upgrade.  That can be fixed so it 'works around' agai…
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now