locked
How to best manage computer groups in WSUS RRS feed

  • Question

  • Hello,

     I'm working on using WSUS to manage updates for our 2003 servers (as they're unsupported on our version of SCCM). I have around 300 Windows 2003 servers. They cannot all have the same update approved at the same time and nor can they be rebooted at the same time.

    I was thinking of deploying say 5 different computer groups in WSUS and using GPOs to state which day of the week the updates will be deployed. I'm slightly lost on the best way to manage the computers and updates?

    If I have 5 different computer groups in WSUS (let's say from least critical,1, to most important,5), will I need 5 different GPOs to deploy the updates? 

    advice appreciated.

    Thanks 

    Tuesday, November 26, 2019 4:16 PM

Answers

  • If I have 5 different computer groups in WSUS (let's say from least critical,1, to most important,5), will I need 5 different GPOs to deploy the updates? 

    If your goal is to allow different servers to update, install, and restart at different times, it is feasible to consider configuring different GPOs. Depending on your needs, the following group policies can be configured differently:
       

    • [Windows Components \ Windows Update]
      "Configure Automatic Updates" - Configure when automatic updates take place.
      "Always automatically restart at the scheduled time" - Determine whether to perform a restart immediately.
      "Enable client-side targeting" - Let the client join the specified WSUS computer group. (Need to adjust in WSUS to use Group Policy or registry settings for grouping.)
       
    Regards,
    Yic

    Please remember to mark as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by Peter.Siffredi Tuesday, December 10, 2019 3:36 PM
    Wednesday, November 27, 2019 2:05 AM

All replies

  • Windows 2003 is unsupported period. End of life was 2015. When I retired 2 years ago, our few remaining 2003 servers had not received any WSUS delivered patches in quite some time.   I don't think that there is going to be anything to install unless there is some critical vulnerability that MS decides to "be nice" and release a patch for. 

    Our philosophy for all servers was to patch development and test servers one month and then apply that set of updates the next month to our production systems. That gave the updates a month to "burn in" to see if they caused any problems. We had some unique scheduling requirements so we automated the task scheduler to install the updates. Sorry, I can't answer the GPO question.

    You really need to get off of 2003. (I'm sure that you are already painfully aware of that.)

    https://www.microsoft.com/en-us/cloud-platform/windows-server-2003

    https://www.itprotoday.com/business-resources/risks-running-windows-server-2003-beyond-end-life-its-time-act-whats-your-action

     
    • Edited by MotoX80 Tuesday, November 26, 2019 11:40 PM
    Tuesday, November 26, 2019 11:39 PM
  • If I have 5 different computer groups in WSUS (let's say from least critical,1, to most important,5), will I need 5 different GPOs to deploy the updates? 

    If your goal is to allow different servers to update, install, and restart at different times, it is feasible to consider configuring different GPOs. Depending on your needs, the following group policies can be configured differently:
       

    • [Windows Components \ Windows Update]
      "Configure Automatic Updates" - Configure when automatic updates take place.
      "Always automatically restart at the scheduled time" - Determine whether to perform a restart immediately.
      "Enable client-side targeting" - Let the client join the specified WSUS computer group. (Need to adjust in WSUS to use Group Policy or registry settings for grouping.)
       
    Regards,
    Yic

    Please remember to mark as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by Peter.Siffredi Tuesday, December 10, 2019 3:36 PM
    Wednesday, November 27, 2019 2:05 AM
  • Moto,

     Yes, I am painfully aware of that. However I also work for a public sector organisation with several hundred unsupported servers that must be run for business critical functions - I've been told to patch them where possible as they're lacking some of the 2003 patches.

    Thanks Yic,

     So, essentially, I'll be looking at say 5 different computer groups, then 5 GPOs scoped to 5 different OUs or computer groups to link it all together?

    Cheers

    Wednesday, November 27, 2019 11:53 AM
  • as they're lacking some of the 2003 patches.


    MS stopped releasing patches 4 years ago, so that means that these servers likely have not been updated in a long time. Ugh! Before I would attempt to patch them I would verify that a good (regularly scheduled) backup exists for each and that you have done a DR test on a few to verify that they can be recovered if something bad happens. (Hardware failure, ransomware encrypted files, patching problem, etc.)

    Are these all VM's? I've seen comments like this where users have problems with license activation.

    https://serverfault.com/questions/173469/windows-2003-activation-nightmare-changed-hardware

    https://social.technet.microsoft.com/Forums/en-US/afb6fd60-c3fd-46b8-84d2-96bf2b617ca9/windows-server-2003-activation-required-after-recovery


    Wednesday, November 27, 2019 6:08 PM
  • If Microsoft really isn't releasing updates for the past 4 years I would just use WSUS to identify the patches missing from the servers, the likelihood of it being different patches on all the servers is slim, I would then just go to windows update catalog and manually download and install or script the installation. If they haven't been updates in 4 years then you don't expect to update them over a weekend anyway. I would not trust wsus to install anyway for an older server. You could realistically do 20-30 a day for a few weeks.

    Just my thoughts..

    Wednesday, November 27, 2019 7:22 PM
  • So, essentially, I'll be looking at say 5 different computer groups, then 5 GPOs scoped to 5 different OUs or computer groups to link it all together?

    It depends on your needs.
       

    • If these clients that need to apply updates at different times will all be approved for the same update, you can put them in the same computer group, or multiple subgroups under the same parent group.
      Unless a deadline is added during your approval, the update installation time is determined by the GPO.
         
    • If these clients that need to apply updates at different times will be approved for different updates, then separate computer groups are necessary.
      Similarly, Unless a deadline is added when you approve, the update installation time is determined by the GPO.
        
    Regards,
    Yic


    Please remember to mark as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, November 28, 2019 2:49 AM
  • Hi,
     

    Any update is welcome here.
    If the issue is resolved, share your solution or find the helpful response "Mark as Answer" to help other community members find the answer.
     

    Thank you for your cooperation, as always.
     

    Regards,
    Yic

    Please remember to mark as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, December 6, 2019 5:30 AM
  • Hi,
       

    Since this thread has not made any updates for a long time, a summary of the current process is provided for reference when continuing to follow up later:
       

    • Issue Symptom
      Provide better computer group update management through the function of computer group.
        
    • Possible CauseSolution consulting.
        
    • Troubleshooting Steps so far
      Consider applying different group policies to clients and setting up different automatic installation plans.
        
    Regards,
    Yic

    Please remember to mark as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, December 9, 2019 2:50 AM