locked
Client-Side Targeting Best Practices in Large Company RRS feed

  • Question

  • I am working on our WSUS installation and am looking for advice on client-side targeting.  We have 100's of OU's so it would be difficult to attach GPO to OU's.   

    Our goals include:

    Segregate workstations from servers. (We push workstation updates down.  Notify only for servers)

    Ensure no new computers are left out of WSUS (We currently apply workstation policy at domain then block for servers)

    Prevent servers from being accidentally pushed into the workstations group on WSUS (Because we apply workstation policy at domain level)

    I am considering a security group-trimmed GPO for workstations and or WMI to place workstations and servers in the proper groups.

    I would be grateful for some guidance.

    Friday, April 24, 2020 12:46 AM

All replies

  • Check the documentation here,

    https://docs.microsoft.com/en-us/windows-server/administration/windows-server-update-services/manage/managing-wsus-client-computers-and-wsus-computer-groups

    When considering a large enterprise level, it's better to use SCCM than WSUS.

    Friday, April 24, 2020 1:09 AM
  • Hi Wackamo,
       

    For computer groups in WSUS, in simple terms, you can handle them in the following two ways:
       


       
    In simple terms, one is manual adjustment and the other is semi-automatic (this is because you need to configure group policies for 100 ou). For your needs:
       

    1. "Segregate workstations from servers. (We push workstation updates down.  Notify only for servers)"
      You may need to choose a method from manual and semi-automatic to achieve.
      If your expectation is to automatically analyze the carrier type of the client for grouping, this is difficult to achieve directly in WSUS.
         
    2. "Ensure no new computers are left out of WSUS (We currently apply workstation policy at domain then block for servers)"
      The way to control whether the client passes WSUS is computer policy (group policy or local policy). If the policy does not change, then the computer group will not leave WSUS management.
         
    3. "Prevent servers from being accidentally pushed into the workstations group on WSUS (Because we apply workstation policy at domain level)"
      If you consider this, then the manual method will not be recommended, you can consider the semi-automatic method.
         
    4. "I am considering a security group-trimmed GPO for workstations and or WMI to place workstations and servers in the proper groups."Computer policy determines the WSUS update behavior of the client. I ’m not very clear what you want to achieve here, but grouping in WSUS by identifying certain attributes may be difficult to achieve.    
         

    As an additional reference, the device collection function of Configuration Manager provides a dynamic collection method, which seems to be what you want to achieve. This article provides some explanation: "How to create collections in Configuration Manager".
    Hope the above can help you.
       

    Regards,
    Yic

    Please remember to mark as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, April 24, 2020 3:21 AM
  • Hi Wackamo,

    befor doing it manual, I have an other approach. Disclaimer: I recommend to use WMI filter only if there is no other way!

    Do the config for the WSUS in one policy for Workstations and one Policy for the Server and One Policy for Domain Controllers. Use WMI filter based on the OS to filter if it ise Server or Client OS. The Domain Controllers don't need a WMI Filter, the should be all in one OU, I hope...

    If you have multiple locations, leave the WSUS server out of this configuration and create site ploicies with the local or next site WSUS. This requires that the AD Sites in the Sites and Services Console are maintained.

    Just as an idea.


    Viele Grüße / Kind regards
    Fabian Niesen
    ---
    Infrastrukturhelden.de (German) - Infrastructureheroes.org (English)
    LinkedIn - Xing - Twitter
    #Iwork4Dell - Opinions and Posts are my own
    My post are provided as they are. Usage is on your own risk.
    Please consider to mark this entry as helpful or solution if it helps or solved your issue.

    Tuesday, April 28, 2020 6:43 PM
  • Hi,
     

    Any update is welcome here.
    If the issue is resolved, share your solution or find the helpful response "Mark as Answer" to help other community members find the answer.
     

    Thank you for your cooperation, as always.
     

    Regards,
    Yic

    Please remember to mark as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, May 1, 2020 2:25 AM
  • KISS Method! Keep it simple stupid with "Workstations" & "Servers". THAT'S IT! (and their appropriate Test Groups too)

    See how to get it done with my 8 part blog series on How To Setup, Manage, and Maintain WSUS.


    https://www.ajtek.ca/wsus/how-to-setup-manage-and-maintain-wsus-part-1-choosing-your-server-os/


    Adam Marshall, MCSE: Security
    https://www.ajtek.ca
    Microsoft MVP - Windows and Devices for IT

    Saturday, May 2, 2020 4:27 PM