AXISHK
asked on
Exclude WSUS update of workstations
We have used GPO to deploy WSUS for all workstations.
Under the WSUS console, what's the difference between "All Computers" and "Unassigned Computer" ? I have checked some unassigned computer and in fact their registry has "WUServer" and "WUStatusServer" pointing to our internal WSUS server. How does it report as unassigned ?
We use GPO to deploy WSUS so I suppose all domain workstations should be assigned with WSUS update, correcdt ?
is it possible to exclude some workstations from WSUS update ?
Thx
C--temp-WSUS.png
Under the WSUS console, what's the difference between "All Computers" and "Unassigned Computer" ? I have checked some unassigned computer and in fact their registry has "WUServer" and "WUStatusServer" pointing to our internal WSUS server. How does it report as unassigned ?
We use GPO to deploy WSUS so I suppose all domain workstations should be assigned with WSUS update, correcdt ?
is it possible to exclude some workstations from WSUS update ?
Thx
C--temp-WSUS.png
ASKER
For " Client-side targeting", does it mean the configured workstation will go to Microsoft website to retrieve the update rather than through the internal WSUS ?
The reason is to ensure that we do the patches update manually for a workstation as we don't want this to happen when a senior executive is working on the computer.
Thx.
The reason is to ensure that we do the patches update manually for a workstation as we don't want this to happen when a senior executive is working on the computer.
Thx.
Some of the ways to do this are GPO security filter, WMI filtering, WSUS Computer targeting groups, WSUS approval rules etc.
Do you have access to create policies in AD? Do you have computer groups? Do they target via GPO or manually?
Do you have access to create policies in AD? Do you have computer groups? Do they target via GPO or manually?
"For " Client-side targeting", does it mean the configured workstation will go to Microsoft website to retrieve the update rather than through the internal WSUS ?"
No, it just means that you can separate PC's into groups so that you can set up different approval rules. PC's will only go to Microsoft for updates if they are not configured to use WSUS.
No, it just means that you can separate PC's into groups so that you can set up different approval rules. PC's will only go to Microsoft for updates if they are not configured to use WSUS.
ASKER
WSUS policy is applied to whole domain. So, how to exclude few workstations from patching by WSUS ? Any further example (steps) on how to set it up ?
Thx
Thx
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You can still use client-side targeting for this as well. BTW, Why would you want to exclude Pc's from getting their updates in the first place ???
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
just exclude his computer on GPO security as per 42110285
"he want to do the patching by himself"
Ok, but your still going to want reporting on this PC(Status updates you can view in WSUS) otherwise who's going to know whether he is indeed staying on top of the updates?
Is the problem that he gets interrupted by updates ?? If that's the case schedule them for when he's out of the office. You can also configure active hours for all users
https://www.ghacks.net/2016/04/08/windows-10-active-hours/
Ok, but your still going to want reporting on this PC(Status updates you can view in WSUS) otherwise who's going to know whether he is indeed staying on top of the updates?
Is the problem that he gets interrupted by updates ?? If that's the case schedule them for when he's out of the office. You can also configure active hours for all users
https://www.ghacks.net/2016/04/08/windows-10-active-hours/
ASKER
Thx
Look over client side targeting here
https://prajwaldesai.com/how-to-configure-client-side-targeting-in-wsus/