locked
WSUS strange issue... RRS feed

  • Question

  • Hi all,

    I have done a clean install of WSUS on a brand new 2012 r2 server - I have configured a GPO on a DC to point ONLY client computers in a security group called windows_update to the WSUS server on port 8530.

    However, for some reason when I look in WSUS > computers > all computers and I can see 3 of my Hyper-V hosts / servers. This is frustrating as I purposefully created a security group to scope the GPO to which I thought would prevent this from happening!

    Is there something I am missing here?

    Any help would be really appreciated.

    Thanks

    Monday, July 25, 2016 11:02 AM

Answers

  • Hi hyperNoddy,

    >do I now need to manually strip out the WSUS settings?

    We have several ways to remove WSUS client settings:

    1. "Not configure" all AU settings in the GPO, then run "gpupdate/force" on hyper-v servers, then these servers will apply a "Not configured" GPO to remove original setting;

    2. Totally remove all register keys in the HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU, then restart windows update services. Also enable the GPO will not be applied again.

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    • Marked as answer by hyperNoddy Wednesday, July 27, 2016 2:03 PM
    Wednesday, July 27, 2016 1:36 AM
  • Thanks - all sorted now - this did the trick

    2. Totally remove all register keys in the HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU, then restart windows update services. Also enable the GPO will not be applied again.

    • Marked as answer by hyperNoddy Wednesday, July 27, 2016 2:03 PM
    Wednesday, July 27, 2016 2:03 PM

All replies

  • Hi hyperNoddy,

    >However, for some reason when I look in WSUS > computers > all computers and I can see 3 of my Hyper-V hosts / servers.

    Do you mean the three Hyper-V hosts/servers aren't in windows_update group, while they show up in the WSUS console as WSUS clients? Then what about clients in windows_update group, could they show up in the WSUS console?

    If my understanding is correct, then please run command "gpresult /h C:\report.html" both on clients in windows_update group and on hyper-v hosts, check if the WSUS GPO is applied as expected.

    If you found the hyper-v hosts applied the GPO, which isn't the expected behavior, then we need to check the GPO settings.

    Check if the GPO is created for correct OU, and check if the security filtering is correctly configured.

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Tuesday, July 26, 2016 1:21 AM
  • thank you for replying.

    yes that is correct the 3 hyper-v hosts are NOT in the windows_update group yet they are still showing up in the WSUS console.

    The GPO called "Windows Update" is applied at the domain level. Although initially it was applied at an OU where the servers could have potentially been. I just cant remember now. Also, initially when I created the GPO the scope of the group was that authenticated users were under security filtering rather than the security group windows_update.

    Could this be the cause? If so how to I stop the hyper-v hosts from appearing in WSUS - I am deleting them from WSUS but they are reappearing.

    gpresult is showing no signs of the GPO being applied.

    Thanks again

    Tuesday, July 26, 2016 7:25 AM
  • sorry... someone had created ANOTHER GPO which did infact point the hyper-v servers at the WSUS server!

    I have removed this incorrectly added GPO from GPMC now, however the three hyper-v servers are still configured in the registry to point to the new WSUS server - do I now need to manually strip out the WSUS settings? Its key that these hyper-v servers are not updated / rebooted.

    Tuesday, July 26, 2016 8:16 AM
  • Hi hyperNoddy,

    >do I now need to manually strip out the WSUS settings?

    We have several ways to remove WSUS client settings:

    1. "Not configure" all AU settings in the GPO, then run "gpupdate/force" on hyper-v servers, then these servers will apply a "Not configured" GPO to remove original setting;

    2. Totally remove all register keys in the HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU, then restart windows update services. Also enable the GPO will not be applied again.

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    • Marked as answer by hyperNoddy Wednesday, July 27, 2016 2:03 PM
    Wednesday, July 27, 2016 1:36 AM
  • Thanks - all sorted now - this did the trick

    2. Totally remove all register keys in the HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU, then restart windows update services. Also enable the GPO will not be applied again.

    • Marked as answer by hyperNoddy Wednesday, July 27, 2016 2:03 PM
    Wednesday, July 27, 2016 2:03 PM
  • Hi hyperNoddy,

    You are welcome :)

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Thursday, July 28, 2016 1:17 AM