locked
WSUS and Group Policy Deployment RRS feed

  • Question

  • Hi

    I am currently running a Windows 2003 SP2 environment.  Clients are running Windows 7 and Windows XP.  I have recently deployed WSUS into my environment however I am having a few challenges.

    Background

    1. Created three OUs to capture the Windows 7 machines, the Windows XP machines and a Test Group
    2. Created a GPO for each group and linked the OU to GPO
    3. Computers have been assigned based on their grouping
    4. The Updates are categorised based on Critical, Security Updates and WSUS updates
    5. I have the following settings for each GPO enabled - Enable client side targeting, Configure Automatic updates and Specify microsoft intranet server
    6. I have Exchange selected as one of my product classifications however I do not see any updates or service packs pertaining to that application

    Issues

    • Is there a particular order in which the updates should be deployed (based on point 4)
    • How do I force the client computers to the WSUS server for the updates as each individual user can still download updates from the web
    • How do I automatically deploy the updates to the clients after they have been tested on the Test Goup
    • Is it possible to deploy updates automatically to the test group and after three days they are deployed to the relevant production group
    • How can updates be deleted if they are being declined, I have found that after an update is declined it is not removed

    Please help!

    Thanks

    Tuesday, June 19, 2012 2:10 PM

Answers

    • Is there a particular order in which the updates should be deployed (based on point 4)
    • How do I force the client computers to the WSUS server for the updates as each individual user can still download updates from the web
    • How do I automatically deploy the updates to the clients after they have been tested on the Test Goup
    • Is it possible to deploy updates automatically to the test group and after three days they are deployed to the relevant production group
    • How can updates be deleted if they are being declined, I have found that after an update is declined it is not removed

    1.There is no compulsary order.But, as usual,we usually don't mix the Service Pack or Exclusive update(for IE,.NET) with other security update.
    2.By default,the user can install the updates thru the web,MU.You can make the restriction thru the GPO to only allowed thru WSUS.
    3.Set option 4 in the gpo, and approve the update for the wanted groups.
    4.No that automatic functionality. You need a WSUS admin involved.
    5.You can use WSUS “Approved for Removal” feature to remove or uninstall an already-installed update. This option is available only if the update is already installed and supports removal. If not, you need to manually uninstall.

    Regards,

    Clarence


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Wednesday, June 20, 2012 6:31 AM