locked
WSUS setup for servers vs end-user pc's. RRS feed

  • Question

  • Our Server group just finished building a WSUS for their servers to get updates. I told them that I would like our everyday end-user computers (mobile, laptop and desktop units) to also hit that WSUS during MDT. This would mean that the end-user computers would get different updates than their servers would, talking to the same WSUS.

    They're informing me that this would require a separate WSUS server for us than their servers. I'm guessing "I" am going to be tasked with providing "them" with instructions on how to set up their server to do this. Is there a simple way to configure this? I'm reading that they can incorporate our AD GPO's, already in place, for our client pc's to use as the rules to follow for what updates we get. I see in MDT that I can specify the WSUS server AND the target group in the CS.INI file.

    If I can provide, at least, some official MS documentation that they can read, follow and implement, I'd jump on that. Since I won't be having to build or maintain this, I'm not wanting to invest all of my time in research.
    Any info on multiple-group targets getting different updates would be awesome. Basically we'd need two groups: Client end group and server group.

    Friday, March 9, 2018 8:43 PM

Answers

  • use automatic approvals option with computer groups.

    Create computer groups in WSUS console.

    add Computers in to that group as you want.

    then use automatic approval option(it allow you to filter what type of update should install or not)

    refer here --->https://www.rootusers.com/configure-update-approvals-and-deployments-in-wsus/

    • Proposed as answer by Yan Li_ Wednesday, March 21, 2018 5:53 AM
    • Marked as answer by the1rickster Wednesday, March 21, 2018 12:50 PM
    Saturday, March 10, 2018 7:52 PM
  • Hello,

    When we approve update, we can select to approve it for a specific computer group. This way, different computer group can get different updates 

    In addition, for different computer group in WSUS, you can create different automatic approval rules for them.

    Regards,

    Yan Li


    Please remember to mark the replies as answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by the1rickster Wednesday, March 21, 2018 12:50 PM
    Wednesday, March 21, 2018 6:00 AM

All replies

  • For my purposes, in MDT, I would modify the CS.INI as:

    Properties=TargetGroup

    WSUSServer=http://nameofserver:8530
    TargetGroup=name of client pc's group

    I'm guessing this would tell our client-end computers to use the specified WSUS.
    However, I'm not sure of the best way to have all of our computers, other then servers, get the correct updates applied to them. Thus the reason for my post.
    Somehow they can use AD GPO already in place to define what pc's belong to this target group.

    Friday, March 9, 2018 9:46 PM
  • I will also ask this in the main Deploy thread group.
    Friday, March 9, 2018 9:54 PM
  • hello,

    Use Group Policy for WSUS implementation.... refer this guide.

    https://gallery.technet.microsoft.com/Windows-Server-Update-Step-cf811a18

    Keep this guide to troubleshooting purpose

    https://gallery.technet.microsoft.com/Troubleshooting-WSUS-d63da113?redir=0

    Saturday, March 10, 2018 3:24 AM
  • Thanks. This part I understand....the initial setup of WSUS. What I need is clear info on separate groups in our AD which will get separate Updates. Our Servers will be getting one set of updates while our client-end computers (everything but servers) will be getting a different set of updates. I'm wondering if that is what is meant by TargetGroups. I'm hoping to find procedures on creating 'groups' which all hit the same WSUS but one group differs from another in the updates they get.
    Saturday, March 10, 2018 3:02 PM
  • use automatic approvals option with computer groups.

    Create computer groups in WSUS console.

    add Computers in to that group as you want.

    then use automatic approval option(it allow you to filter what type of update should install or not)

    refer here --->https://www.rootusers.com/configure-update-approvals-and-deployments-in-wsus/

    • Proposed as answer by Yan Li_ Wednesday, March 21, 2018 5:53 AM
    • Marked as answer by the1rickster Wednesday, March 21, 2018 12:50 PM
    Saturday, March 10, 2018 7:52 PM
  • Hello,

    When we approve update, we can select to approve it for a specific computer group. This way, different computer group can get different updates 

    In addition, for different computer group in WSUS, you can create different automatic approval rules for them.

    Regards,

    Yan Li


    Please remember to mark the replies as answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by the1rickster Wednesday, March 21, 2018 12:50 PM
    Wednesday, March 21, 2018 6:00 AM
  • Yeah...I'm told we are going to build a separate WSUS for our client computers while the Server group uses theirs that they built just for their servers. Lovely leaps back into 1990.
    Wednesday, March 21, 2018 12:51 PM