Re: Understanding WSUS
- From: "Rick F" <rick.REMOVE@xxxxxxxxxxxxxxxx>
- Date: Wed, 17 Aug 2005 23:28:54 -0500
Thanks for the explanation. I want WSUS to automatically approve and install
critical updates on just the workstations and I will manually approve them
for the Servers.
In WSUS under Options, I have configured automatic detect and automatic
approve for workstations but only detect for the servers. This is how the
instructions are on Mariette's site.
So why aren't the critical updates installing on the workstations but only
showing that they are needed?
--
Rick Faria - MCSE / A+
RDF Technical Services - www.rdfts.com
Email: support at rdfts dot com
"Chad A. Gross [SBS MVP]" <chad.gross@xxxxxxxxxxxxxxxxxxxxxxx> wrote in
message news:utPvSC4oFHA.1372@xxxxxxxxxxxxxxxxxxxxxxx
> Hi Rick
>
> That is just a filtered view of your current updates. Each update has one
> of four approval settings:
>
> Install
> Detect Only
> Not Approved
> Declined
>
> The short story is that the only updates that are going to get installed
> on your machines are the ones with their approval set to Install. By
> default, WSUS automatically sets the approval level for new updates to
> Detect Only. This allows the administrator to see what patches are needed,
> so you can then review those patches and see if you want to approve those
> patches for installation. The theory here is that if there are 15 new
> patches released, but you only needed 3 on your network, why would you
> review and test the 13 that aren't needed (and thus won't be installed)?
>
> SO - when you review the needed patches, you then change the approval
> status as necessary, to Install if you want the update(s) installed,
> Declined if you don't want to install the updates (and don't want to see
> them again) . . . think a patch gone bad that is replaced with an updated
> version, or a non-critical Office patch that you find breaks some
> 'feature' that the users can't live without, etc. Detect Only obviously
> detects if the patch is needed, but doesn't install it, and Not Approved
> are patches that haven't had anything done with them yet. SO - to change
> a patch's approval, on the Updates screen, you can filter your view to
> show you the updates currently set to Detect Only, click on an update,
> then click the Change Approval link in the top left to change to either
> Install or Not Approved. You can decline the update
>
> Now, when go access the WSUS Options | Automatic Approval Options, you can
> change what update classifications (Critical Update, Rollup, Drivers,
> Service Packs, etc.) are automatically approved for detection, and which
> ones are automatically approved for installation. I am currently not
> using any automatic approval for installation - I want to control what
> updates I approve for installation. But I am using automatic approval for
> detection, so I can see at a glance what patches are needed by which
> machines.
>
> SO - you can configure WSUS to not automate anything - where you manually
> synchronize your WSUS server, manually set updates for Detect Only, then
> manually set those updates to Install. Or, you can configure WSUS to
> synchronize automatically, and automatically approve updates (based on
> classification) for detection, but then manually approve updates for
> installation. OR, you can configure WSUS to also automatically approve
> updates for installation as well (which would be the same as manually
> setting Automatic Updates on a PC to install everything automatically).
> But it all comes back to the approval setting for the individual updates -
> which have to be set to 'Install' to be installed . . . it's just a
> matter of whether you manually approve updates for installation, or allow
> WSUS to automatically approve updates for installation.
>
> WSUS is definitely different than Shavlik. While there are things I
> really like about Shavlik, WSUS is growing on me. Specifically, I like
> the idea that WSUS effectively lets me create an update policy on the
> network - so if there is a random patch that we don't want installed for
> whatever reason, I can decline that on the WSUS console and never have to
> worry about that patch being installed by accident. If I rebuild a PC, I
> don't have to worry about remembering what patch(es) I don't want, etc.
> Drop that puppy on the network, it picks up the GPO, checks in with WSUS
> and installs all necessary patches (and none of the ones I don't want),
> without any additional effort on my part. That is where I see the real
> benefit of WSUS . . .
>
> The only thing I would change with WSUS is to include some sort of
> mechanism to force / push an update, so if there is something really nasty
> that comes out, I can install it everywhere ASAP . . .
>
> --
>
> Chad A. Gross - SBS MVP
> SBS ROCKS!
>
> http://msmvps.com/cgross
>
.
- References:
- Understanding WSUS
- From: Rick F
- Re: Understanding WSUS
- From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
- Re: Understanding WSUS
- From: Rick F
- Re: Understanding WSUS
- From: Chad A. Gross [SBS MVP]
- Re: Understanding WSUS
- From: Rick F
- Re: Understanding WSUS
- From: Chad A. Gross [SBS MVP]
- Understanding WSUS
- Prev by Date: Receive e-mail via SMTP or POP connector?
- Next by Date: RE: STOP: c000021a {Fatal System Error} 0x00000080
- Previous by thread: Re: Understanding WSUS
- Next by thread: Undeliverable because Non-western Character sets.
- Index(es):
Relevant Pages
|
