Who uses WSUS?

T

TechieSooner

Supreme [H]ardness
Joined
Nov 7, 2007
Messages
7,601
It still seems like, even though I'm using WSUS, the users still have to install the updates themselves. Sometimes it'll auto-install, but alot of times there is user intervention required.

How can I "push" updates out to where they get installed and I don't have to touch each machine??
 
TechieSooner said:
Who uses WSUS?
Click to expand...

//raises hand

Bundled with SBS...which a lot of my clients are on. On a couple of larger networks that are on standard servers....I've installed WSUS and use it. Saves a lot on bandwidth, and allows you to control what gets pushed out..and keep clients up to date.

Which version are you using? You have your radio button choices of what to do with updates....force 'em in, notify, etc. I separate the computers on the networks into groups in WSUS...servers (which I always do manually), clients, special rigs.
 
Yo.

Using GPOs, you can force the installations to occur at certain times. Of course, if you users are admins then they still have absolute control over their systems...which means it may still prompt for some things.

I've found it useful to set deadlines when approving updates. Makes sure they get out when I think they get out.
 
XOR != OR said:
Yo.

Using GPOs, you can force the installations to occur at certain times. Of course, if you users are admins then they still have absolute control over their systems...which means it may still prompt for some things.

I've found it useful to set deadlines when approving updates. Makes sure they get out when I think they get out.
Click to expand...
The Automatic Update settings? I have them all set to install at 3:00.

For example, the Genuine Microsoft update that came out this week. I had to manually go to Windows Update to get that installed on everyone's PCs... Waiting two nights, it didn't install itself.
 
TechieSooner said:
The Automatic Update settings? I have them all set to install at 3:00.

For example, the Genuine Microsoft update that came out this week. I had to manually go to Windows Update to get that installed on everyone's PCs... Waiting two nights, it didn't install itself.
Click to expand...

Virtually every time I've had a client have a problem with WSUS it's because the GPOs are set up right. I'd double check- make sure they're 'enabled' as needed, and then audit a test machine to make sure the policy is getting to the machines correctly as well.
 
RSiggs said:
Virtually every time I've had a client have a problem with WSUS it's because the GPOs are set up right. I'd double check- make sure they're 'enabled' as needed, and then audit a test machine to make sure the policy is getting to the machines correctly as well.
Click to expand...

That's one of the things I check... It's applying it OK, it just isn't exactly automated to the max.

Perhaps I need to fiddle with the deadline date thing as suggested above... If I DON'T set that, does it usually just install it within a few days?

Bottom line for me, is if I approve an update, I want that update to get installed right away!
 
TechieSooner said:
That's one of the things I check... It's applying it OK, it just isn't exactly automated to the max.

Perhaps I need to fiddle with the deadline date thing as suggested above... If I DON'T set that, does it usually just install it within a few days?

Bottom line for me, is if I approve an update, I want that update to get installed right away!
Click to expand...

Yeah, until it reboots someone machine in the middle the day and they come screaming. I'd make sure it prompts the user for a reboot, rather then doing it automatically. That's how I have it setup.
 
ND40oz said:
Yeah, until it reboots someone machine in the middle the day and they come screaming. I'd make sure it prompts the user for a reboot, rather then doing it automatically. That's how I have it setup.
Click to expand...

That's how I have it setup as well. But it still never installed the Genuine Advantage stuff!
 
these are the group policy settings I've set, and they seem to work...

Configure Automatic Updates:
- 4 - Auto Download and Schedule Install
- 0 - Every Day
- 11:00am

Specify Intranet Location:
- wsus server
- wsus server

Reschedule Automatic updates scheduled installations:
- Wait 5 minutes

No Auto Restart:
- Enabled

Allow Immediate Installation:
- Enabled

Seems to work fine for me.


TechieSooner said:
That's one of the things I check... It's applying it OK, it just isn't exactly automated to the max.

Perhaps I need to fiddle with the deadline date thing as suggested above... If I DON'T set that, does it usually just install it within a few days?

Bottom line for me, is if I approve an update, I want that update to get installed right away!
Click to expand...

what are your GPO settings? They won't get installed right away, best you can do (I believe) is have it install the updates daily. Although I've never messed with the deadline stuff.
 
j-sta said:
what are your GPO settings? They won't get installed right away, best you can do (I believe) is have it install the updates daily. Although I've never messed with the deadline stuff.
Click to expand...

Exactly like yours above ;)

Except I do mine at 3 AM, so that it can reboot itself since nobody is logged on.
 
I got one of the old servers from work I want to setup for wsus. It was configured as a fall over DC iirc. I tried to remove it from the domain, but, it communicate with the DC or gave me an error, I don't remember, so I just tucked it in a corner. I'd love to get it setup as a wsus box and push updates to the machines at work. Would make my life slightly easier.
 
TechieSooner said:
Exactly like yours above ;)

Except I do mine at 3 AM, so that it can reboot itself since nobody is logged on.
Click to expand...

well then... what about the auto-restart? Since you're doing them at 3am, do you have No Auto Restart set to disabled? That's probably what I would do... that way the next set of updates can go through, if your users don't reboot often.
 
We have a wsus box running as a vm. It's was originally a physical box until we did the p2v. So far it's being doing pretty well. As some has mentioned, just make sure the settings in your GPO are correct.
 
j-sta said:
well then... what about the auto-restart? Since you're doing them at 3am, do you have No Auto Restart set to disabled? That's probably what I would do... that way the next set of updates can go through, if your users don't reboot often.
Click to expand...

Until you have users with laptops that take them home each night or users that think turning off their computer at the end of the day saves money for the company by not using electricity. Then they fire it up in the morning, it installs the updates while they're writing a long email to their boss and then it reboots before they send it. :p
 
j-sta said:
well then... what about the auto-restart? Since you're doing them at 3am, do you have No Auto Restart set to disabled? That's probably what I would do... that way the next set of updates can go through, if your users don't reboot often.
Click to expand...
Nope, I've got mine just like yours... No Auto Restart if a user is logged on.

ND40oz said:
Until you have users with laptops that take them home each night or users that think turning off their computer at the end of the day saves money for the company by not using electricity. Then they fire it up in the morning, it installs the updates while they're writing a long email to their boss and then it reboots before they send it. :p
Click to expand...
I do two things at night:
1) Updates
2) NOD32 FULL scans
3) Insert _____ here.

#1 could be moved easily enough. But even as lightweight as NOD32 is, I don't want every single computer hitting a full system scan in the middle of the day!
Also, leaving it on 24/7 allows me to push stuff out in the middle of the night from the comfort of the couch :D
 
I use WSUS but only on networks with 10 or more systems.

Takes up a lot of space and is pretty heavy IMO.

Great software though, love it.
 
LoStMaTt said:
I use WSUS but only on networks with 10 or more systems.

Takes up a lot of space and is pretty heavy IMO.

Great software though, love it.
Click to expand...

My primary use is to keep the huge updates (.NET stuff, etc) from bogging the internet connection down.
 
LoStMaTt said:
I use WSUS but only on networks with 10 or more systems.

Takes up a lot of space and is pretty heavy IMO.

Great software though, love it.
Click to expand...

How long does it take to run updates on 10+ systems, and is it only heavy when its running?

My thoughts are slap one up in a VM at work and schedule it to do its thing any time between8pm and 4am.
 
ND40oz said:
Until you have users with laptops that take them home each night or users that think turning off their computer at the end of the day saves money for the company by not using electricity. Then they fire it up in the morning, it installs the updates while they're writing a long email to their boss and then it reboots before they send it. :p
Click to expand...

very good point there... wasn't thinking about that one. That sure would make for some unhappy people!

TechieSooner said:
Nope, I've got mine just like yours... No Auto Restart if a user is logged on.


I do two things at night:
1) Updates
2) NOD32 FULL scans
3) Insert _____ here.

#1 could be moved easily enough. But even as lightweight as NOD32 is, I don't want every single computer hitting a full system scan in the middle of the day!
Also, leaving it on 24/7 allows me to push stuff out in the middle of the night from the comfort of the couch :D
Click to expand...

hmm.. that's strange.

ohh but... don't the GPO's only affect the High Priority updates, and not the optional and hardware updates?

Although WGA updates/patches are usually in the High Priority section... But if it's not a High Priority, it won't get installed via GPO's.

I haven't messed with the deadlines and such, much. My Win2k3 server is running on a super old Celeron 600 with a whopping 256mb ram, and I was trying to run VM's on my crappy AthlonXP 3200+ which isn't very fun when trying to do other things.
 
It'll install whatever you approve and you can choose to download optional and hardware updates if you are so inclined.
 
ND40oz said:
It'll install whatever you approve and you can choose to download optional and hardware updates if you are so inclined.
Click to expand...

you sure?

Enabled recommend updates via Automatic Updates:
Specifies whether Automatic Updates will deliver both important as well as recommended updates from the Windows Update update service.

When this policy is enabled, Automatic Updates will install recommended updates as well as important updates from Windows Update update service.

When disabled or not configured Automatic Updates will continue to deliver important updates if it is already configured to do so.
Click to expand...

the GPO only does the "important" updates. Not the recommended updates, unless this option is Enabled.
Correct?

Now... pushing them through the WSUS console... I haven't delved into it that far.
 
j-sta said:
ohh but... don't the GPO's only affect the High Priority updates, and not the optional and hardware updates?
Click to expand...

j-sta said:
the GPO only does the "important" updates
Click to expand...


I think the above two points is what it is. It's only installing the Important stuff, not the recommended stuff...

Any solutions to have it install whatever I approve, regardless of status?

I mean, your huge companies like Cisco, Microsoft, Fortune 500 companies, etc, aren't leaving updates up to their users to manually get installed... So how are they doing it?
 
TechieSooner said:
I think the above two points is what it is. It's only installing the Important stuff, not the recommended stuff...

Any solutions to have it install whatever I approve, regardless of status?

I mean, your huge companies like Cisco, Microsoft, Fortune 500 companies, etc, aren't leaving updates up to their users to manually get installed... So how are they doing it?
Click to expand...

maybe Enable the "Enable recommended updates via Automatic Updates" ?
That would be my guess.

although... maybe there's also a way to push select updates through the WSUS console?
It's been a while since I messed with it.
 
j-sta said:
you sure?
Click to expand...

Go into Poducts and Classifications under Options. In the Classifications tab, you can choose:

Critical Updates
Definition Updates
Drivers
Feature Packs
Security Updates
Service Packs
Tools
Update Rollups
Updates
 
ND40oz said:
Go into Poducts and Classifications under Options. In the Classifications tab, you can choose:

Critical Updates
Definition Updates
Drivers
Feature Packs
Security Updates
Service Packs
Tools
Update Rollups
Updates
Click to expand...

you mean in the WSUS console, correct? I haven't looked much through there.

I meant through GPO's :p
 
j-sta said:
you mean in the WSUS console, correct? I haven't looked much through there.

I meant through GPO's :p
Click to expand...

Yes, through the WSUS console, WSUS and group policy go hand in hand when it comes to patching machines. Or you can use SMS/SCCM to do the same thing.
 
j-sta said:
maybe Enable the "Enable recommended updates via Automatic Updates" ?
That would be my guess.

although... maybe there's also a way to push select updates through the WSUS console?
It's been a while since I messed with it.
Click to expand...

Yea, I've got that one enabled. I think that just makes them VISIBLE in Automatic Update, doesn't actually get them installed.
 
TechieSooner said:
Yea, I've got that one enabled. I think that just makes them VISIBLE in Automatic Update, doesn't actually get them installed.
Click to expand...

I'll enable that one on my computer at work and see what happens.
maybe if I ever feel like dealing with it, I'll do it on one of my VM's and power my server back on.
 
I am going to try this at one of our clients. We have them on a specific number of hours per month, and lately, everything has been working so now I need to find something like this to do.

but we added domain users to the local admin group on all of the computers.. and it looks like this may cause a problem? there are 2-3 users who shut down at night and one that takes a laptop home most nights. then there are some who leave 20 emails open and freak out if they come in the next day and they are gone, so i might have to rethink this some.
 
Well, I'm going to let one of my machines sit and see what it does (if it auto-updates on its own or not). See what it does. Right now I was just RDPing to anything out of date to patch it back up (which not all the time, the Windows Update in the tray was there, I had to run regular Windows Update!).


scottatwittenberg said:
but we added domain users to the local admin group on all of the computers.. and it looks like this may cause a problem? there are 2-3 users who shut down at night and one that takes a laptop home most nights. then there are some who leave 20 emails open and freak out if they come in the next day and they are gone, so i might have to rethink this some.
Click to expand...
Just always setting it to no reboot while logged on will prevent it from ever rebooting.

A more ideal solution would be to train them
1) Leave on at night (Optional, but then less background stuff it's doing during the day)
2) Teach them to log off (fix your leaving 20 emails open).

Logging on fresh each day prevents a LOT of application problems.
 
LoStMaTt said:
I use WSUS but only on networks with 10 or more systems.

Takes up a lot of space and is pretty heavy IMO.

Great software though, love it.
Click to expand...

Just curious, how heavy?
I am going to downgrade a server from 08 back to server 03 (to keep from having to get exchange 07 and upgrade bes, and cause all kinds of other hassles for no real gain)
so once that is done, i will decide which server to put this on.

there are 3 servers..
one will be primary dc, exchange, and have the "user" folders shared
one will have AD, exchange, and the "share" drive
third has BES, sav, and print server.

there are only 11 computers in the domain.. so it may not be worth it.
 
Well... I've got a 70GB update store on my server, to put in perspective. And I've just got XP clients and also I do Office 2007 updates.

So depending what all you've got, could be much larger.

Processing power isn't terribly much... I've got my SQL limited to using 512MB of RAM though so it doesn't decide to run away from me...
 
I also had the same issue as the OP when I was running a WSUS server. No matter what settings I played with in GP I just couldn't get the damn updates to install on their own all the time. After scouring through Google and technet I found a vbs that someone had written to do this very task. It contacts the WSUS server, downloads the necessary updates, and installs them. It can also force a reboot when finished, both the reboot and installing the updates are optional. It also can send an email with the results of each machine's updates, I found it pretty useful.

I tried using this as a start up script through GPO, but I ran into some issues. Partly due to permissions but also because I wanted it to run at a predetermined time, not always at start up. But anyway, the best way I could find to execute this script across the domain was to create a scheduled task via a dos batch file, and this way at whatever time necessary it would execute the WSUS force update vbs as the SYSTEM account silently in the background.

If anyone's interested, shoot me a PM. I think I still have both the dos batch file and the vbs somewhere.
 
Just to make sure we aren't skipping the obvious...your approving the updates in WSUS right? :eek:

Never had a problem with it pushing out anything I approved.
 
Zlash said:
Just to make sure we aren't skipping the obvious...your approving the updates in WSUS right? :eek:

Never had a problem with it pushing out anything I approved.
Click to expand...

Yep....

Actually it seems to have improved. However like with that Genuine Advantage update, is listed as a Necessary/Critical one in Windows Update yet hasn't come across WSUS.
 
You must log in or register to reply here.
Back
Top