Re: Rescheduling missed updates with WSUS 3.0
- From: "Dave Nickason [SBS MVP]" <gwdibble@xxxxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 29 Oct 2007 13:05:30 -0400
Yes and yes - I have a "WSUS Client PC Policy" and a "WSUS Server Policy,"
each linked only to the SBSComputers and SBSServers OUs respectively. The
only difference is that clients are set to "auto download and install,"
while servers are set to "auto download and notify." FWIW, I'm running WSUS
installed per the SBS-specific white paper, not R2.
To create separate GPOs for the two OUs, you can just leave the existing
policy, but make sure it's linked only to SBSComputers. In the GPMC,
r-click the policy and click Copy. R-click Group Policy Objects -> Paste.
That'll create a new GPO called "Copy of old GPO." Rename the copy, edit it
as you prefer, and link it to SBSServers.
I let WSUS automatically approve critical and security updates for the
servers, but then I install them manually. When I see the yellow shield, I
start the wizard and choose Custom. I note the KB numbers for all the
updates that are queued for installation in case something goes wrong, then
I let it install them all and restart. The two advantages to this, IMO, are
that nothing I don't want is installed on my servers by accident or
carelessness on my part, and that the servers are only restarting at a time
I choose, and when I'm here to deal with any potential issue. I have not
had any particular problem with WSUS, or with updates in general - primarily
it's that I can have users here at all hours, backups running, etc. - I just
feel that it's important for me to be in control of when that server
reboots.
"Arthur" <mynewsgroupaccount@xxxxxxxxxxxxxx> wrote in message
news:OmGMqIPGIHA.6068@xxxxxxxxxxxxxxxxxxxxxxx
Dave, I was just reading through your thread again and the link you
referred to.
In my Group Policy I have a Policy called WSUS that is linked to the
domain. Are you saying that you have a seperate policy for WSUS Client
computers and WSUS Server Computers ?
Do you then link these to the domain.local > My Business > Computers >
SBSServers / SBSComputers containers seperately to control the download
and install behaviour ?
"Dave Nickason [SBS MVP]" <gwdibble@xxxxxxxxxxxxxxxxxxxxxx> wrote in
message news:OJPmDObFIHA.4196@xxxxxxxxxxxxxxxxxxxxxxx
If I'm reading your original post correctly, your users are local admins
on the client PCs? That would explain why they get the shield, and can
choose to install the updates or not. I agree that's a weakness, but
I've only got a couple of users who run as local admin. I'm one of them
(don't tell Susan Bradley), and I leave my PC running all the time, so
mine are already installed when I get here. I've recommended that the
others just ignore the shield, and let the updates either install at the
scheduled time, or at shutdown.
I would expect that if you tell AU to install the updates at mid-day,
they would install, but then the users (at least the non-admin users)
would be forced to reboot. Even admin users will get tortured with
frequent requests to reboot, although at least they can veto the request
if they're paying enough attention not to OK it without thinking.
Whatever you do, I recommend enabling the setting not to force the
restart. I haven't had any problems with non-admin users just doing the
"install updates and shut down" thing, allowing the updates to install at
the end of the work day - that becomes the default shutdown option if
there are updates waiting to install.
By the way, while I have client PCs set to "auto download and install,"
the SBS and member servers are set to "auto download and notify." I
don't ever want a server to reboot itself unless I'm here to make sure it
comes back up normally, and I view automatically updating servers as an
invitation for your boss to call you with a big problem during your
vacation.
This article explains all of this in detail - see the chart about 3/4 of
the way down that tells the effect of the settings on admin and non-admin
users.
Managing the WSUS Automatic Updates Client Download, Install, and Reboot
Behavior with Group Policy
http://www.microsoft.com/technet/community/columns/sectip/st0506.mspx
"Arthur" <mynewsgroupaccount@xxxxxxxxx> wrote in message
news:uRlvxCbFIHA.748@xxxxxxxxxxxxxxxxxxxxxxx
Thanks very much for the information.
From your description it actually sounds like the system is behaving
correctly. RSOP returns the correct results.
I was under the impression that it would just go ahead and install the
updates if the schedule was missed not present the Yellow shield and ask
the admin user. That seems to me to describe "Download updates for me
but let me choose when to install them"
What would happen if the schedule was set for updating the clients at
say mid-day when it is more likely the PCs will be turned on ? Would the
updates just go ahead and install or would the yellow shield appear
again ?
There seems to be some room for error when the admin user can decide not
to install the updates and can also choose not to install the updates at
shutdown time as well ?
"Dave Nickason [SBS MVP]" <gwdibble@xxxxxxxxxxxxxxxxxxxxxx> wrote in
message news:%23asfliaFIHA.3400@xxxxxxxxxxxxxxxxxxxxxxx
First things first. It sounds like the policy might not be getting
applied to the workstations? If you look in CP -> Automatic Updates,
can you see that the policies you set are indicated there, with no
ability to change them? If you log into the workstation and do
Start -> Run -> Rsop.msc, do you see the policies in the results? (You
might have to restart the workstation several times - maybe 3 - before
the policy will be applied).
I have the policy set to not force a reboot if a user is logged in. So
if the PC is turned off when the update is scheduled, and the user has
local admin rights, when they restart they get the yellow shield
prompting them to apply the updates. If they don't, when they go to
shut down, they get "Install updates and shut down." If they don't
shut down, updates apply at the next scheduled time, as long as the
user is logged out.
Non-admin users get the same thing, except they don't see the shield or
have the option to manually install the missed updates. They either
get "Install updates and shut down," or the update installs at the next
scheduled time.
"Arthur" <mynewsgroupaccount@xxxxxxxxx> wrote in message
news:OgTMjbaFIHA.4712@xxxxxxxxxxxxxxxxxxxxxxx
I'm confused about the Automatic Update client when using WSUS.
I have installed WSUS 3.0 on the small business server and created the
Computer Groups. I have setup the schedule for the Client computers to
update at 3.00 a.m.
I have checked in the Groups Policy editor on the server and this all
seems to be setup in the right place.
What is confusing me is that if a client computer is turned off at
night it is not automatically updating after it turns on in the
morning. It shows an alert that updates are waiting but they are not
getting installed automatically.
According to the deployment guide on Technet this shold occur one
minute after reboot if the Reschedule Automatic Update scheduled
installations is set to not configured - see below.
If I use gpedit on the client then the settings do not show up as set
at all.
I must be missing something basic ?
Reschedule Automatic Updates scheduled installations
This policy specifies the amount of time that Automatic Updates should
wait after system startup before proceeding with a scheduled
installation that did not take place earlier.
If the status is set to Enabled, a missed installation will occur the
specified number of minutes after the computer is next started.
If the status is set to Disabled, a missed installation will occur
with the next scheduled installation.
If the status is set to Not Configured, a missed installation will
occur one minute after the next time the computer is started.
This policy applies only when Automatic Updates is configured to
perform scheduled installations of updates. If the Configure Automatic
Updates policy is disabled, this policy has no effect.
To reschedule Automatic Update scheduled installation
1. In the Group Policy Object Editor, expand Computer
Configuration, expand Administrative Templates, expand Windows
Components, and then click Windows Update.
2. In the details pane, click Reschedule Automatic Update
scheduled installations, click Enabled, and type the number of minutes
to wait.
3. Click OK.
.
- References:
- Rescheduling missed updates with WSUS 3.0
- From: Arthur
- Re: Rescheduling missed updates with WSUS 3.0
- From: Dave Nickason [SBS MVP]
- Re: Rescheduling missed updates with WSUS 3.0
- From: Arthur
- Re: Rescheduling missed updates with WSUS 3.0
- From: Dave Nickason [SBS MVP]
- Re: Rescheduling missed updates with WSUS 3.0
- From: Arthur
- Rescheduling missed updates with WSUS 3.0
- Prev by Date: Re: Help!!
- Next by Date: Re: SBS 2003 Built in backup
- Previous by thread: Re: Rescheduling missed updates with WSUS 3.0
- Next by thread: Delete Outlook folders still visible
- Index(es):
Relevant Pages
|
