Solved

Non domain/ windows updates

Posted on 2014-02-24
3
1,790 Views
Last Modified: 2014-02-24
Hello,

Is there a way to control Windows updates for multiple computers that are not currently not in a domain (third party apps or other). I'm aware that within a domain WSUS would probability be deployed?  Thanks for any information you may be able to provide.

All the best,
Wattz
0
Comment
Question by:nickywattz
3 Comments
 

Expert Comment

by:pr0gm4n
ID: 39883797
You still can use WSUS without a domain but you'll have to change some registry entries in every client. that way every client must point to the WSUS IP server, if that works for you here's the solution


1.      
Create a *.reg file (wsus-client.reg) containing this:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]
"AcceptTrustedPublisherCerts"=dword:00000001
"ElevateNonAdmins"=dword:00000001
"TargetGroup"="Workstations"
"TargetGroupEnabled"=dword:00000000
"WUServer"="http://your-WSUS-server:port";
"WUStatusServer"="http://your-WSUS-server:port";

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU]
"AUOptions"=dword:00000004
"AUPowerManagement"=dword:00000001
"AutoInstallMinorUpdates"=dword:00000001
"DetectionFrequency"=dword:0000000a
"DetectionFrequencyEnabled"=dword:00000001
"IncludeRecommendedUpdates"=dword:00000001
"NoAUAsDefaultShutdownOption"=dword:00000001
"NoAUShutdownOption"=dword:00000001
"NoAutoRebootWithLoggedOnUsers"=dword:00000001
"NoAutoUpdate"=dword:00000000
"RebootRelaunchTimeout"=dword:0000000a
"RebootRelaunchTimeoutEnabled"=dword:00000001
"RescheduleWaitTime"=dword:0000000a
"RescheduleWaitTimeEnabled"=dword:00000001
"ScheduledInstallDay"=dword:00000000
"ScheduledInstallTime"=dword:00000003
"UseWUServer"=dword:00000001

2.      
Edit the lines:
- "WUServer"="http://your-WSUS-server:port";; and
- "WUStatusServer"="http://your-WSUS-server:port";;
to match the IP address (or FQDN) of your WSUS server. IMPORTANT: remove the ";" from the end of that lines!

Examples:
"WUServer"=" http://WSUS.company.com:81 "
"WUStatusServer"=" http://WSUS.company.com:81 "

"WUServer"=" http://192.168.0.1 "
"WUStatusServer"=" http://192.168.0.1 "

"WUServer"=" http://intranet.local:8080 "
"WUStatusServer"=" http://intranet.local:8080 "

The first key is named WUServer. This registry key holds a string value which should be entered as the WSUS server’s URL.

The other key that you will have to change is a string value named WUStatusServer. The idea behind this key is that the PC must report its status to a WSUS server so that the WSUS server knows which updates have been applied to the PC. The WUStatusServer key normally holds the exact same value as the WUServer key.

3.      
Store the *.reg file
where the computers have access to it.

4.      
Apply the *.reg file by:
- double click on it from the client machine (admin rights required)
OR
- put in into the login script so it will be applied at every login

Here an example for using it in a Novell Login Script (Drive Z: is here the drive needed for the login):

IF OS = "WINNT" THEN
#regedit.exe /s Z:\WSUS\wsus-client.reg
@wuauclt.exe /resetauthorization /detectnow
END

76738995e71728dac04dbfda5c36e2482bf65e1fead6c945d068ff383595c652_xp-wsus-enabled_big
5.      
Options:
Here some links to get more informations about the options used in the *.reg file:

- http://technet.microsoft.com/en-us/library/cc708449%28WS.10%29.aspx
- http://www.windowsnetworking.com/articles_tutorials/Registry-Keys-Tweaking-Windows-Update-Part1.html
- http://www.windowsnetworking.com/articles_tutorials/Registry-Keys-Tweaking-Windows-Update-Part2.html
- http://www.wsus.de/gpo (German - sorry)
- http://smallvoid.com/article/winnt-automatic-updates-config.html
- http://www.appdeploy.com/tips/detail.asp?id=103

6.      
How to remove that settings from the client?
Maybe it`s needed to remove that settings for various reasons. To get the default values in the registry, just follow the next step.

7.      
Create a *.reg file (remove-wsus-client.reg) containing this:
Windows Registry Editor Version 5.00

[-HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU]

8.      
Store the *.reg file
where the computers have access to it.

9.      
Apply the *.reg file by:
- double click on it from the client machine (admin rights required)

That`s all. I don`t think it`s useful to add this in a login/logout script ;-) but it would work too.

3160e5d533e6fe595329591ebf9493bca50fe03d1cfdd4e16dd5d36dca090e17_xp-wsus-disabled_big
Conclusion
I use this method for setting up a new machine even the machine will be used outside of our network after setup.
In this way the new client gets all needed updates in a shorter time frame than downloading it all via internet from Microsoft.
After finishing the setup, I remove the settings as described from #6 on.
0
 
LVL 34

Accepted Solution

by:
Seth Simmons earned 500 total points
ID: 39883804
not being in a domain, you can't use a GPO but you can still configure them individually for WSUS; domain isn't required

you would go on the local system and run gpedit.msc and go to computer configuration -> administrative templates -> windows components -> windows update

from there you can define values for "specify intranet microsoft update service location" and put the URL of the wsus server.  you can also define other options as you need

i've done a non-domain wsus virtual test environment at home and works nicely
0
 

Author Comment

by:nickywattz
ID: 39884093
Thank you both for the comments. I didn't realize you could use WSUS without a domain. Could you please provide some useful articles related to building a WSUS server (requirements involved) . And the steps you took in creating your virtual environment. I have about 50 computers that will need updates.
0

Featured Post

How does your email signature look on mobiles?

Do your employees use mobile devices to reply to emails? With mobile becoming increasingly important to the business world, it is in your best interest to make sure that your email signature looks great across all types of devices.

Join & Write a Comment

Citrix XenApp, Internet Explorer 11 set to Enterprise Mode and using central hosted sites.xml file.
Several part series to implement Internet Explorer 11 Enterprise Mode
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now