SUS help

[jonw757]

Well due to the latest worms we had a small problem come up with SUS. It seems SUS has a "feature" that wont distribute the recently approved patches until 24 hours after the initial network connection is made by the computer. We have some users who bring there laptops home every night and end up getting the patches a day later then everyone else. My question is.... Is there a way to change this time so that as soon as they connect it will download and install? Its usually not a big deal but we wanted to get the patches out ASAP and another full day wasnt really exceptable. I know there is a reg hack to get it to go out right away, but I would hope there is an easier way.

for ex.. we approved the new patches on tuesday night at 1am. The user came in on tuesday morning and connected. The initial connection was made and it realized there was a new update. So being on the network the whole day nothing happened, he came in the next morning and booted up and it asked to install the new patches. I am not really sure of the logic behind this but any help would be much appreciated!

 

[nessus]

By default, Windows Update clients only check the server for updates every 22 hours. Using SUS, the only way to force an update to go sooner would be to update the last update check time recorded in the registry. Also, just because a patch is downloaded, it will only be installed according to the auto-update settings on the machine. If it is downloaded days before the install time, it will wait until the install time to install. If the user is not an administrator, they are not notified that the patch is available. If the user is an admin, they can start the install if they want at any time after it is downloaded.

A real pain.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\NextDetectionTime (Set the value to five minutes before whatever the current time is, then stop and restart the auto Update service to force a nearly immediate download of patches)

If you deploy WSUS, you get some additional control over update behavior through group policy. You can custom configure the check-in interval to any value you want, and you can deadline a particular patch on the WSUS server so that even if the client would normally patch on Firday evening, you could deadline the patch for Wednesday evening. If the machine checked in before Wednesday evening, it would install the patch it downloaded Wednesday evening. If it checked in after Wednesday evening, it would install the patch immediately as soon as it was downloaded rather than waiting until its normal Friday night application time.

You can control patch releases so that a patch is only approved for one group of computers as well. If a dreaded patch conflict occurs, your can instruct a patch to be rolled back off workstations as well. Office updates and other server product updates are integrated as well.

You can allow non-administrators to install patches as soon as they are downloaded instead of making them wait for the next automated intall time, if you want. They can receive the same "updates are ready" notification admins receive if you turn the feature on through group policy.

WSUS rocks!

 

[jonw757]

wow I had not read up a ton on WSUS due to it not really being my responsibility and having many other projects going on but it looks like here is our way to force the move to it. You helped a ton, thanks!!