WSUS applied Updates to all groups!

I have just recently configure and installed WSUS on my network. created two groups, Test group and all other PCs. I only approved some updates to the Test-group but later people were calling me and telling me that their PCs are asking them to restart because of the windows update. how this happen?

further more I have created two domain policy for each group in order for PC to join in to the right computer group I have created and that has been working just fine.

please review the images attached.
WSUS-Server.JPG
DC.JPG
911-SOSAsked:
Who is Participating?
 
KorbusConnect With a Mentor Commented:
Sorry about the delay in reply.  I saw your screen shot:  take a look at the settings tab.
This tab will take all the settings, from all Group Policies applied to this user/computer combination, and show you which ones will be put into effect.  You can then "play around" with your OU's and GPO bindings, and rerun this report until the results out correct.

Yes, I think you will want to create a separate OU for the WSUS update policy you want to apply to machines that are NOT in the Workstations OU. (And remove it from the default domain policy, as you said.)  Note: there may be a better way to do this, and have settings from one of the Update GPs to override the default domain GP-  but honestly, I'm not really sure on how to do this.
0
 
Santosh GuptaCommented:
Hi,

Please Enable  the below group policy.

wsus1
0
 
911-SOSAuthor Commented:
sure, i'll check back with you.
0
Increase Security & Decrease Risk with NSPM Tools

Analyst firm, Enterprise Management Associates (EMA) reveals significant benefits to enterprises when using Network Security Policy Management (NSPM) solutions, while organizations without, experienced issues including non standard security policies and failed cloud migrations

 
KorbusCommented:
To determine why it applied the wrong settings to the test-group: I think I would start by generating a RSOP for a user and test-group computer, to confirm it assigns the correct group policy updates settings.
Check out the "Group Policy Results" item on the left of the Group Policy screen to do this test.
0
 
911-SOSAuthor Commented:
reply to Guru:

before I enable that policy I wanted to ask you, if I enable it would it automatically restart the PC? if it does I don't want it then.
0
 
Santosh GuptaCommented:
Hi,

see the policy name "No auto restart with logged on user for scheduled automatic update installation ".

if you will enable it will not reboot your system.

if not then as the default behaviour it will reboot the system.
0
 
911-SOSAuthor Commented:
reply to Korbus:

please see attached image if that is what you mean.
RegistrySettings.JPG
0
 
911-SOSAuthor Commented:
reply to Santosh Gupta:

Hi,

thank you for that. but even your information was valuable but I think I need to change the update time to night time instead of in the morning and I would the PC to restart so by the time users will come to work their PCs are ready to use.

I'm trying to eliminate any user interaction with updating processes.
0
 
Santosh GuptaCommented:
So you leave your PC running in night. if so then ok to set it in night.

if not then you should go with enabling "No auto restart with logged on user for scheduled automatic update installation ".
0
 
911-SOSAuthor Commented:
Yeah the PCs are running at night.
0
 
911-SOSAuthor Commented:
any ideas guys?....
0
 
Santosh GuptaCommented:
Ok,

That will be good, change settings as per below.

1. No auto-restart for scheduled Automatic Update installation options - Disabled
2. Change Schedule install time -  3:00
3. Delay Restart for scheduled installations- Enabled

http://technet.microsoft.com/en-us/library/cc512630.aspx
0
 
KorbusCommented:
Looked at that screenshot (registrySettings.jpg):  no, that's not what I meant.

In the group policy window you initially posted (DC.jpg), there is an item in the left pane called: group policy results.
You can use that applet to confirm which group policy settings will be applied to a particular computer & user combination.  This is one of the primary tools I use to determine why group policy isn't working out as expected.
0
 
911-SOSAuthor Commented:
reply to Korbus:

thank you for your reply, please find the results on attached image. I couldn't really understand it, maybe you can help make sense out of the Applied GPOs.

1- I have choose one of the PCs which suppose to be in Workstations group. meaning the updates that I approve to test-group shouldn't apply to workstations group until I decide.

2- I have made two different WSUS policy. one called WSUS Update policy for Test PCs which I have linked it to TestWorkStations OU ( you can see it in the image as well) and the second is WSUS Update Policy which it linked to Workstations OU. why there are two of WSUS Update policy and one WSUS Update Policy for Test PCs and a Default Domain Policy added to this computer? I can undrestand the default one

I only need the WSUS Update Policy to be effected to the Workstations OU. should I remove the ones from the top of the domain so it wouldn't effect my OUs?

thank you.
GPResults.JPG
0
 
KorbusCommented:
So you got your policies applying properly now 911?
Did that RSOP page help figure it out?
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.