locked
Question about FCS and GPO on a nested OU RRS feed

  • Question

  • We are testing FCS for our enterprise.  We already have an existing WSUS server.  Our main computer OU in Active Directory is called WSUS.  This is where a computer has to be to pull updates from WSUS.  I have a nested OU in that folder for my FCS testing computers.  I've deployed the FCS GPO to that testing OU under the main WSUS OU.  When I go into the properties, it only shows the FCS Client GPO.  Is the GPO for the WSUS being applied to nested OUs?  Or do I need to add that GPO to that OU?  Should there be 2 GPOs in my FCS OU? 

    Also, we have our WSUS updates set to prompt the user to install the updates.  Is it possible to make an exception for Forefront updates?  We want those to install right away.  We already have an automatic rule to approve them on the WSUS folder.  Can I just edit the FCS GPO to say "Auto install updates"?  Will that apply to only FCS?  Or will that apply to all Windows updates?

    Thanks!

    Wednesday, June 30, 2010 2:38 PM

Answers

  • There is no need to have 2 gpos for the FCS OU.  Unless you are blocking inheritance, any OU's under the WSUS OU will receive its policies.

    Yes, the automatic approval rule should be enough, but I can't say for certain because we don't prompt the user before installation.  I have enabled "Allow Automatic Updates immediate installation", which will immediately install updates that do not interrupt services or require a reboot.  You can also edit the FCS policy to run a quick scan every few hours and require FSC to check for definition updates before the scan.

     

    • Proposed as answer by Nick Gu - MSFT Friday, July 2, 2010 5:49 AM
    • Marked as answer by Mike H Leach Thursday, July 15, 2010 3:48 PM
    Wednesday, June 30, 2010 8:25 PM

All replies

  • There is no need to have 2 gpos for the FCS OU.  Unless you are blocking inheritance, any OU's under the WSUS OU will receive its policies.

    Yes, the automatic approval rule should be enough, but I can't say for certain because we don't prompt the user before installation.  I have enabled "Allow Automatic Updates immediate installation", which will immediately install updates that do not interrupt services or require a reboot.  You can also edit the FCS policy to run a quick scan every few hours and require FSC to check for definition updates before the scan.

     

    • Proposed as answer by Nick Gu - MSFT Friday, July 2, 2010 5:49 AM
    • Marked as answer by Mike H Leach Thursday, July 15, 2010 3:48 PM
    Wednesday, June 30, 2010 8:25 PM
  • Thanks for the response.  I changed the FCS GPO to automatically install.  I'm hoping this GPO only applies to FCS.  I took the WSUS GPO out of this test OU.  So, the next time some Windows updates synchronize with WSUS, we'll see if they prompt to install (what we want for OS updates) or if the FCS GPO forces the install. 
    Friday, July 2, 2010 12:56 PM
  • Hi,

    Do you have any update about this issue?

    Regards,

     


    Nick Gu - MSFT
    Monday, July 5, 2010 4:21 AM
  • Hi Nick,

    I'm waiting for the next Windows 7 update release to see if how I currently have the GPO set up works.  I have the FCS GPO set to approve and install.  WSUS policy is set to prompt for the user.  I can't test until updates are released.  I will update as soon as this is tested which could be today if some updates sync with WSUS.

    Mike

    Tuesday, July 6, 2010 1:14 PM
  • you can configure automatic approval for FCS product from WSUS managment console and run it after compleate.
    Mahdy
    Wednesday, July 7, 2010 10:05 AM
  • Yes, we did an automatic approval for FCS updates.  I'm working on automatic installs for FSC but leaving OS updates at prompt user to install.

    What do you mean by "run it after complete"?

    Wednesday, July 7, 2010 12:26 PM
  • This has been tested and is working.  FCS initial client requires the user to install.  But, all definition updates automatically approve and install.  Any other Windows updates from WSUS prompt for install.  Thanks!
    Thursday, July 15, 2010 3:49 PM