none
Group Policy Settings

    Soru

  • I have a question about what is the right policy settings for a WSUS client system.

    The server is a Windows 2003 R2 Standard with WSUS 3.2 installed.

    There are many workstations at the site but there are 6 that need some special settings.

    An AD OU has been created for just them. What I need to now is what are the WSUS and GPO settings needed to get the workstation to function in a very specific manner.

    I need them to

    1. Check with the WSUS server once a day at the same time every day for updates

    2. If there are updates download them and install them.

    3. Force a system reboot if necessary.

    4. Do all steps 1 through 3 regardless of who is logged on to the machine.

    5. Do this only at a specified time (i.e. 4:00 AM) and at no other time.

    6. At any other time there can be absolutely no reboots or notifications of any kind.

    These systems are PCs that are used as Point of Sale registers in a business and can not be disrupted during the business day .  I want to have the workstations check in once a day on a 24 hour cycle and not a 22, as a 22 will eventually cause an issue during the business day.


    Mike

    18 Haziran 2012 Pazartesi 14:08

Yanıtlar

  • Hi,

    Configure client connect to WSUS to install update, you should first configure Group Policy:

    Configure Automatic Updates
    Specify Intranet Microsoft Update Service Location

    >  1. Check with the WSUS server once a day at the same time every day for updates

    By default Automatic Updates will check for available updates at the interval of 22 hours (minus a random value between 0 and 20 percent of that number), you can specify the number of hours that Windows will wait before checking for available updates: Automatic Update detection frequency (Also, it’s not a fix time, minus a random value between 0 and 20 percent of that number).

    > 2. If there are updates download them and install them.

    Enable Group Policy: Allow Automatic Update immediate installation

    If the status is set to Enabled, Automatic Updates will immediately install these updates after they have been downloaded and are ready to install.

    > 3. Force a system reboot if necessary.
    > 4. Do all steps 1 through 3 regardless of who is logged on to the machine.

    Configure Group Policy: Re-prompt for Restart with Scheduled Installations

    If the status is set to Enabled, a scheduled restart will occur the specified number of minutes after the previous prompt for restart was postponed.

    > 5. Do this only at a specified time (i.e. 4:00 AM) and at no other time.
    > 6. At any other time there can be absolutely no reboots or notifications of any kind.

    I think this is conflict with your question 2.

    However, you can set it in Group Policy: Configure Automatic Updates-->Auto download and scheduled the install

    For more information please refer to following MS articles:

    Configure Clients Using Group Policy
    http://technet.microsoft.com/en-us/library/cc708574(v=WS.10).aspx

    Lawrence

    TechNet Community Support

    19 Haziran 2012 Salı 06:48
  • Hi,


    > 1. At the scheduled installation time if the system needs to be rebooted, It will be regardless of the logged
    > on user ID

    Yes, if you select action 4 “Auto download and schedule the install', then if an update requires a reboot in order to complete installation, the client will automatically reboot. If an administrative user happens to be logged on during this time, they will see a restart notification and have the option to delay the reboot. Non-administrative users will see the notification (enabling them to save their work). They will not be able to delay the restart, but they can initiate the reboot.

    2. At any other time of day there would be no activity that would disrupt the system.

    Yes, no notification, Windows Update Agent will contact WSUS and download available updates in silent mode.

    > but would be perfected not to in case some critical update that WSUS doesn't think will need a reboot, but
    > does gets installed and reboots the client at a bad time.

    No, that’s impossible. Actually, by default minor update will immediately install after they are downloaded to client when AU configuration options are applied. But minor updates here indicate updates that neither interrupt Windows Services not restart Windows. So critical update which needs restart to interrupt Windows will not install in nonscheduled time. Also you can disable “Allow Automatic Updates immediate installation” policy to disable install minor updates in nonscheduled time.

    > Reschedule Automatic Updates scheduled installations
    >                 Not Configured

    That’s OK. This policy enables an admin to specify a period of time after startup in which to proceed with a scheduled installation that may have been missed (for example, if the system was shut down during the scheduled time for the last update install). You disable it, no update will install in your business time until next scheduled time.

    > No auto-restart for scheduled Automatic Update installation options
    > Not configured

    It’s OK. Not configured, AU will notify user and restart computer in scheduled time.

    > Automatic Update detection frequency
    > With ‘Automatic Updates’ configured as it is, does it matter

    By default, a client will check in with the WSUS server every 22 hours, or the check-in can be configured to occur as you want.

    Leave it Not Configured, it’s OK.

    > Allow Automatic Update immediate installation
    > Disabled

    It’s OK, we discussed already.

    > Delay restart for scheduled installations
    >                 Enabled – 5 minutes or less

    It’s OK.

    > Delay restart for scheduled installations
    >                 Enabled – 5 minutes or less

    It’s OK.

    > Power Management
    >                 Will wake a sleeping system for updates if needed

    It’s OK.

    For more information please refer to following MS articles:

    Managing the WSUS Automatic Updates Client Download, Install, and Reboot Behavior with Group Policy
    http://technet.microsoft.com/en-us/library/cc512630.aspx

    Lawrence

    TechNet Community Support

    20 Haziran 2012 Çarşamba 09:17

Tüm Yanıtlar

  • Hi,

    Configure client connect to WSUS to install update, you should first configure Group Policy:

    Configure Automatic Updates
    Specify Intranet Microsoft Update Service Location

    >  1. Check with the WSUS server once a day at the same time every day for updates

    By default Automatic Updates will check for available updates at the interval of 22 hours (minus a random value between 0 and 20 percent of that number), you can specify the number of hours that Windows will wait before checking for available updates: Automatic Update detection frequency (Also, it’s not a fix time, minus a random value between 0 and 20 percent of that number).

    > 2. If there are updates download them and install them.

    Enable Group Policy: Allow Automatic Update immediate installation

    If the status is set to Enabled, Automatic Updates will immediately install these updates after they have been downloaded and are ready to install.

    > 3. Force a system reboot if necessary.
    > 4. Do all steps 1 through 3 regardless of who is logged on to the machine.

    Configure Group Policy: Re-prompt for Restart with Scheduled Installations

    If the status is set to Enabled, a scheduled restart will occur the specified number of minutes after the previous prompt for restart was postponed.

    > 5. Do this only at a specified time (i.e. 4:00 AM) and at no other time.
    > 6. At any other time there can be absolutely no reboots or notifications of any kind.

    I think this is conflict with your question 2.

    However, you can set it in Group Policy: Configure Automatic Updates-->Auto download and scheduled the install

    For more information please refer to following MS articles:

    Configure Clients Using Group Policy
    http://technet.microsoft.com/en-us/library/cc708574(v=WS.10).aspx

    Lawrence

    TechNet Community Support

    19 Haziran 2012 Salı 06:48
  • Thank You for your response

    Just to make sure, because sometimes I can be a little thick.

    If I configure the policy

    Configure Automatic Updates

    The settings for this policy enable you to configure how Automatic Updates works. You must specify that Automatic Updates download updates from the WSUS server rather than from Windows Update.

    correctly using option '4-Auto download and schedule the install'

    The client system can get updates at any time, download them, and install and reboot only at the time specified.


    The thing that concerns me is that

    1. At the scheduled installation time if the system needs to be rebooted, It will be regardless of the logged on user ID

    2. At any other time of day there would be no activity that would disrupt the system.

    For number 2, having the client communicate with the WSUS server could be OK.  As long as there is no notification to the user and absolutely zero rebooting of the client during the day.  Downloading and installing updates that will not disrupt the client system in any way would be OK but would be perfected not to in case some critical update that WSUS doesn't think will need a reboot, but does gets installed and reboots the client at a bad time.

    What other Policy options would be best to configure to achieve this desired outcome.

    I have configured them as such any policy settings not listed are not configured

    Configure Automatic Updates

                    4-Auto Download  / Scheduled installed 0-everyday / Scheduled Time 04:00

    Reschedule Automatic Updates scheduled installations

                    Not Configured

    No auto-restart for scheduled Automatic Update installation options

                    Not configured

    Automatic Update detection frequency

                    ? With ‘Automatic Updates’ configured as it is, does it matter

    Allow Automatic Update immediate installation

                    Disabled

    Delay restart for scheduled installations

                    Enabled – 5 minutes or less

    Allow non-administrators to receive update notifications

                    Disabled / No notification is to be given

    Power Management

                    Will wake a sleeping system for updates if needed



    Thank you for all your assistance











    Mike

    19 Haziran 2012 Salı 13:00
  • Hi,


    > 1. At the scheduled installation time if the system needs to be rebooted, It will be regardless of the logged
    > on user ID

    Yes, if you select action 4 “Auto download and schedule the install', then if an update requires a reboot in order to complete installation, the client will automatically reboot. If an administrative user happens to be logged on during this time, they will see a restart notification and have the option to delay the reboot. Non-administrative users will see the notification (enabling them to save their work). They will not be able to delay the restart, but they can initiate the reboot.

    2. At any other time of day there would be no activity that would disrupt the system.

    Yes, no notification, Windows Update Agent will contact WSUS and download available updates in silent mode.

    > but would be perfected not to in case some critical update that WSUS doesn't think will need a reboot, but
    > does gets installed and reboots the client at a bad time.

    No, that’s impossible. Actually, by default minor update will immediately install after they are downloaded to client when AU configuration options are applied. But minor updates here indicate updates that neither interrupt Windows Services not restart Windows. So critical update which needs restart to interrupt Windows will not install in nonscheduled time. Also you can disable “Allow Automatic Updates immediate installation” policy to disable install minor updates in nonscheduled time.

    > Reschedule Automatic Updates scheduled installations
    >                 Not Configured

    That’s OK. This policy enables an admin to specify a period of time after startup in which to proceed with a scheduled installation that may have been missed (for example, if the system was shut down during the scheduled time for the last update install). You disable it, no update will install in your business time until next scheduled time.

    > No auto-restart for scheduled Automatic Update installation options
    > Not configured

    It’s OK. Not configured, AU will notify user and restart computer in scheduled time.

    > Automatic Update detection frequency
    > With ‘Automatic Updates’ configured as it is, does it matter

    By default, a client will check in with the WSUS server every 22 hours, or the check-in can be configured to occur as you want.

    Leave it Not Configured, it’s OK.

    > Allow Automatic Update immediate installation
    > Disabled

    It’s OK, we discussed already.

    > Delay restart for scheduled installations
    >                 Enabled – 5 minutes or less

    It’s OK.

    > Delay restart for scheduled installations
    >                 Enabled – 5 minutes or less

    It’s OK.

    > Power Management
    >                 Will wake a sleeping system for updates if needed

    It’s OK.

    For more information please refer to following MS articles:

    Managing the WSUS Automatic Updates Client Download, Install, and Reboot Behavior with Group Policy
    http://technet.microsoft.com/en-us/library/cc512630.aspx

    Lawrence

    TechNet Community Support

    20 Haziran 2012 Çarşamba 09:17