Group Policy Settings
-
18 Haziran 2012 Pazartesi 14:08
I have a question about what is the right policy settings for a WSUS client system.
The server is a Windows 2003 R2 Standard with WSUS 3.2 installed.
There are many workstations at the site but there are 6 that need some special settings.
An AD OU has been created for just them. What I need to now is what are the WSUS and GPO settings needed to get the workstation to function in a very specific manner.
I need them to
1. Check with the WSUS server once a day at the same time every day for updates
2. If there are updates download them and install them.
3. Force a system reboot if necessary.
4. Do all steps 1 through 3 regardless of who is logged on to the machine.
5. Do this only at a specified time (i.e. 4:00 AM) and at no other time.
6. At any other time there can be absolutely no reboots or notifications of any kind.
These systems are PCs that are used as Point of Sale registers in a business and can not be disrupted during the business day . I want to have the workstations check in once a day on a 24 hour cycle and not a 22, as a 22 will eventually cause an issue during the business day.
Mike
Tüm Yanıtlar
-
19 Haziran 2012 Salı 06:48Moderatör
Hi,
Configure client connect to WSUS to install update, you should first configure Group Policy:
Configure Automatic Updates
Specify Intranet Microsoft Update Service Location> 1. Check with the WSUS server once a day at the same time every day for updates
By default Automatic Updates will check for available updates at the interval of 22 hours (minus a random value between 0 and 20 percent of that number), you can specify the number of hours that Windows will wait before checking for available updates: Automatic Update detection frequency (Also, it’s not a fix time, minus a random value between 0 and 20 percent of that number).
> 2. If there are updates download them and install them.
Enable Group Policy: Allow Automatic Update immediate installation
If the status is set to Enabled, Automatic Updates will immediately install these updates after they have been downloaded and are ready to install.
> 3. Force a system reboot if necessary.
> 4. Do all steps 1 through 3 regardless of who is logged on to the machine.Configure Group Policy: Re-prompt for Restart with Scheduled Installations
If the status is set to Enabled, a scheduled restart will occur the specified number of minutes after the previous prompt for restart was postponed.
> 5. Do this only at a specified time (i.e. 4:00 AM) and at no other time.
> 6. At any other time there can be absolutely no reboots or notifications of any kind.I think this is conflict with your question 2.
However, you can set it in Group Policy: Configure Automatic Updates-->Auto download and scheduled the install
For more information please refer to following MS articles:
Configure Clients Using Group Policy
http://technet.microsoft.com/en-us/library/cc708574(v=WS.10).aspxLawrence
TechNet Community Support
- Yanıt Olarak İşaretleyen Lawrence LvMicrosoft Contingent Staff, Moderator 29 Haziran 2012 Cuma 01:15
-
19 Haziran 2012 Salı 13:00
Thank You for your response
Just to make sure, because sometimes I can be a little thick.
If I configure the policy
Configure Automatic Updates
The settings for this policy enable you to configure how Automatic Updates works. You must specify that Automatic Updates download updates from the WSUS server rather than from Windows Update.
correctly using option '4-Auto download and schedule the install'
The client system can get updates at any time, download them, and install and reboot only at the time specified.
The thing that concerns me is that
1. At the scheduled installation time if the system needs to be rebooted, It will be regardless of the logged on user ID
2. At any other time of day there would be no activity that would disrupt the system.
For number 2, having the client communicate with the WSUS server could be OK. As long as there is no notification to the user and absolutely zero rebooting of the client during the day. Downloading and installing updates that will not disrupt the client system in any way would be OK but would be perfected not to in case some critical update that WSUS doesn't think will need a reboot, but does gets installed and reboots the client at a bad time.
What other Policy options would be best to configure to achieve this desired outcome.
I have configured them as such any policy settings not listed are not configured
Configure Automatic Updates
4-Auto Download / Scheduled installed 0-everyday / Scheduled Time 04:00
Reschedule Automatic Updates scheduled installations
Not Configured
No auto-restart for scheduled Automatic Update installation options
Not configured
Automatic Update detection frequency
? With ‘Automatic Updates’ configured as it is, does it matter
Allow Automatic Update immediate installation
Disabled
Delay restart for scheduled installations
Enabled – 5 minutes or less
Allow non-administrators to receive update notifications
Disabled / No notification is to be given
Power Management
Will wake a sleeping system for updates if needed
Thank you for all your assistance
Mike
-
20 Haziran 2012 Çarşamba 09:17Moderatör Hi,
> 1. At the scheduled installation time if the system needs to be rebooted, It will be regardless of the logged
> on user IDYes, if you select action 4 “Auto download and schedule the install', then if an update requires a reboot in order to complete installation, the client will automatically reboot. If an administrative user happens to be logged on during this time, they will see a restart notification and have the option to delay the reboot. Non-administrative users will see the notification (enabling them to save their work). They will not be able to delay the restart, but they can initiate the reboot.
2. At any other time of day there would be no activity that would disrupt the system.
Yes, no notification, Windows Update Agent will contact WSUS and download available updates in silent mode.
> but would be perfected not to in case some critical update that WSUS doesn't think will need a reboot, but
> does gets installed and reboots the client at a bad time.No, that’s impossible. Actually, by default minor update will immediately install after they are downloaded to client when AU configuration options are applied. But minor updates here indicate updates that neither interrupt Windows Services not restart Windows. So critical update which needs restart to interrupt Windows will not install in nonscheduled time. Also you can disable “Allow Automatic Updates immediate installation” policy to disable install minor updates in nonscheduled time.
> Reschedule Automatic Updates scheduled installations
> Not ConfiguredThat’s OK. This policy enables an admin to specify a period of time after startup in which to proceed with a scheduled installation that may have been missed (for example, if the system was shut down during the scheduled time for the last update install). You disable it, no update will install in your business time until next scheduled time.
> No auto-restart for scheduled Automatic Update installation options
> Not configuredIt’s OK. Not configured, AU will notify user and restart computer in scheduled time.
> Automatic Update detection frequency
> With ‘Automatic Updates’ configured as it is, does it matterBy default, a client will check in with the WSUS server every 22 hours, or the check-in can be configured to occur as you want.
Leave it Not Configured, it’s OK.
> Allow Automatic Update immediate installation
> DisabledIt’s OK, we discussed already.
> Delay restart for scheduled installations
> Enabled – 5 minutes or lessIt’s OK.
> Delay restart for scheduled installations
> Enabled – 5 minutes or lessIt’s OK.
> Power Management
> Will wake a sleeping system for updates if neededIt’s OK.
For more information please refer to following MS articles:
Managing the WSUS Automatic Updates Client Download, Install, and Reboot Behavior with Group Policy
http://technet.microsoft.com/en-us/library/cc512630.aspxLawrence
TechNet Community Support
- Yanıt Olarak İşaretleyen Lawrence LvMicrosoft Contingent Staff, Moderator 29 Haziran 2012 Cuma 01:15
.png)
