WSUS Questions

IRJ

I am new to WSUS. I built a WSUS Server and created all my Target groups and I want to approve some updates that 80%+ of our PCs already have.

I configured 3 Settings in Group Policy on the client computers. The one that I am concerned about is "Configure Automatic Updates".

Here are my questions:

1. If approve an update, it will only install on the time, I specified in the GPO, correct?

2. Nofiy for the install in the GPO doesnt mean its going to notify me, if I approve it via WSUS, correct? If I dont approve it via WSUS is it still going to bug the user and say updates need to be installed?

DenisKelley

@IRJ said:

I am new to WSUS. I built a WSUS Server and created all my Target groups and I want to approve some updates that 80%+ of our PCs already have.

I configured 3 Settings in Group Policy on the client computers. The one that I am concerned about is "Configure Automatic Updates".

Here are my questions:

1. If approve an update, it will only install on the time, I specified in the GPO, correct?** Yes, but there is another setting in GP that will make it try to do that if it failed to do so during that time. Just need to find it.**

2. Nofiy for the install in the GPO doesnt mean its going to notify me, if I approve it via WSUS, correct? If I dont approve it via WSUS is it still going to bug the user and say updates need to be installed? **Yes, since the PC/Server is "looking" at WSUS and not MS, it will believe WSUS that an update is available when you approve it. And the setting above means that it will download the update from WSUS and then notify you that there are updates that need to be installed. It won't install automatically. **

DenisKelley

The other setting(s) are:

1. No auto-restart with logged on users
2. Reschedule Automatic Updates scheduled installations. This is used for machines which you set it to update automatically. Not the way you have it configured in your example, just noting it.

Dashrender

@IRJ said:

2. Nofiy for the install in the GPO doesnt mean its going to notify me, if I approve it via WSUS, correct? If I dont approve it via WSUS is it still going to bug the user and say updates need to be installed?

If you DON'T approve it, it will not tell the end users about it. As far as the users will know there is no update. When you approve it, then they will be notified that it's available for them.

IRJ

@DenisKelley said:

2. Nofiy for the install in the GPO doesnt mean its going to notify me, if I approve it via WSUS, correct? If I dont approve it via WSUS is it still going to bug the user and say updates need to be installed? **Yes, since the PC/Server is "looking" at WSUS and not MS, it will believe WSUS that an update is available when you approve it. And the setting above means that it will download the update from WSUS and then notify you that there are updates that need to be installed. It won't install automatically. **

What about the scheduling option? How does that work?

I just want to approve it from WSUS and have everything donwloaded and then schedule to deploy a few PCs at a time

Dashrender

You can't do a few PCs at a time unless you create groups for the PCs and only put a few PCs in each group.

If you want to auto deploy the updates you need to change your
Configure Automatic Updates -> 4 auto download and schedule the install

Then list the time you want to schedule them.

You'll have to create a different OU for each group if want to have them go at different times (that would be a pretty big pain).

IRJ

@Dashrender said:

You can't do a few PCs at a time unless you create groups for the PCs and only put a few PCs in each group.

If you want to auto deploy the updates you need to change your
Configure Automatic Updates -> 4 auto download and schedule the install

Then list the time you want to schedule them.

You'll have to create a different OU for each group if want to have them go at different times (that would be a pretty big pain).

I have already created OUs for each group. I have like 20 different groups. I just have to change the GPO to 4 instead of 3 on all of them.

IRJ

This is what I have so far. I will actually have more groups once I reboot the PCs tonight and they all update group policy.

DenisKelley

@IRJ said:

@DenisKelley said:

2. Nofiy for the install in the GPO doesnt mean its going to notify me, if I approve it via WSUS, correct? If I dont approve it via WSUS is it still going to bug the user and say updates need to be installed? **Yes, since the PC/Server is "looking" at WSUS and not MS, it will believe WSUS that an update is available when you approve it. And the setting above means that it will download the update from WSUS and then notify you that there are updates that need to be installed. It won't install automatically. **

What about the scheduling option? How does that work?

I just want to approve it from WSUS and have everything donwloaded and then schedule to deploy a few PCs at a time

Like Dashrender noted, you'll need different Group Policies. They way it works is when you approve the group in WSUS, then the GP tied to that group gets enforced. So if you had TEST Group 1 with download and install automatically at 3AM, then once you approve an update for that group, the PC will download the update (next time it talks to WSUS), then at 3AM, it will then install the update.

If you do install and notify for a particular GP, then after approving, the PC or Server will just note that you are ready to install. One of the best how-to's talking about all of this is available on Microsoft called WSUS 3.0 Install Guide. Your version may be different, but this was a great guide I used years back when learning. http://www.microsoft.com/en-us/download/details.aspx?id=913

IRJ

I am changing all the GPOs to 4 - Auto download and schedule the install

Dashrender

That. Is a lot of groups, why so many?

IRJ

@Dashrender said:

That. Is a lot of groups, why so many?

Different branches and I am an AD Nazi. I like to have alot of OUs

Dashrender

Uh.. OK... You can apply the GP to the level about the 'list'. If you're OK with them all being told to install at the same time. That would cut down on the number of GPOs you have to manage.

IRJ

@Dashrender said:

Uh.. OK... You can apply the GP to the level about the 'list'. If you're OK with them all being told to install at the same time. That would cut down on the number of GPOs you have to manage.

I staggered the GPOs between midnight and 5am. That was part of the reason I created different deployment groups.