none
Whether a domain GPO exists if the machine come out from domain?

    Question

  • Hi,

     I am planning to configure a WSUS in a server to do centralise patch management and I wiil apply a domain group policy to make all compuers in my envirinment to get patches from the WSUS.  If a GPO applied then the registry settings of the computers will change and they will take updates only from WSUS server.

    My doubt is :

      • Whether user's computer's will get updates/patches from microsoft(not from WSUS) if they are not connnected to domain?

        I have this doubt because if the user is not logging in to domain whether that GPO will exist in the computer or not.

    /Rinku


    • Edited by Midhun_mtm Thursday, September 13, 2012 10:28 AM
    Thursday, September 13, 2012 10:26 AM

Answers

  • If the user of the computer click on the below higlited link. Will they get updates if they are not in domain?

    Yes.

    If the answer is "yes". Can we set anything like below?

    The computer will automatically search for updates from microsoft(from online) directly if they are not receiving patches from WSUS server without manually clicking on the link mentioned above.

    No. And I think once you consider the true intent of WSUS and how that compares to how WU/MU works, you won't want it either. The purpose of WSUS is to allow an organization to choose which updates are deployed to a system, and more importantly, the opposite -- which updates are Not Deployed to a system. But the moment you allow a system to scan WU/MU, you loose that choice, and that system will get *ALL* current updates released by Microsoft.

    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Product Manager, SolarWinds
    Microsoft MVP - Software Distribution (2005-2012)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin

    Friday, September 21, 2012 10:46 PM
    Moderator
  • If the computer is not a member of domain , then GPO will get deleted.

    Functionally true, but semantically inaccurate...

    If the computer is not a member of the domain and has never been a member of the domain, then the computer will never get the GPO and then, strictly speaking, there is no GPO to delete.

    If the computer is not a member of the domain, but was previously a member of the domain (after the GPO was created), then the computer did get the GPO and *NO* the impact of the GPO will NOT be undone. This is a very important consideration when configuring the WUAgent, and this behavior is different from how some pure policy based configurations are affected. In the case of the WUAgent, the GPO merely *sets* some registry values. The WUAgent then reads those registry values in order to determine it's configuration. If a WSUS client is removed from the domain the only thing that happens is that the GPO doesn't get applied anymore to "set" those values -- but there is nothing that "unsets" those values. Ergo, a very critical thing to note: When a WSUS client is removed from a domain -- it still continues to be a WSUS client *and* if that WSUS server is still accessible on the network to that non-domain client, it will continue to get updates from the WSUS server.

    Let's also make something very clear -- physically removing a machine from the office and taking it home does not remove that machine from the DOMAIN -- it only removes the machine from the OFFICE. Domain Membership is a logical attribute of a computer, not a physical attribute. Please do not confuse removing a machine from the domain with removing a machine from the NETWORK. I suspect in this discussion it is truly the latter (network) that you're concerned with, not the domain, but by mistating that qualification the conversation has provided some truly misleading information for your purpose.

    But to get patches from WSUS , the computer need to be in domain.

    WSUS is domain-agnostic. It does not know, nor does it care, about the presence of Active Directory. Group Policy is used merely as a tool to configure the WUAgent. Local Policy and REGEDIT can also be used for this purpose. In order to make a WSUS client not be a WSUS client it must be explicitly configured to not be a WSUS client (e.g. the registry value UseWUServer must be set to '0').

    A computer does *NOT* need to be in a domain to get patches from a WSUS server.


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Product Manager, SolarWinds
    Microsoft MVP - Software Distribution (2005-2012)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin


    Saturday, September 15, 2012 7:18 PM
    Moderator

All replies

  • >> Whether user's computer's will get updates/patches from microsoft(not from WSUS) if they are not connnected to domain?<<

    Nope, If your policy has been applied , until you delete registry settings on these clients

    Thursday, September 13, 2012 11:30 AM
  • Whether user's computer's will get updates/patches from microsoft(not from WSUS) if they are not connnected to domain?

     If you have configured the client system to look at the WSUS server (Using GPO Settings) for updates , then they will not contact Microsoft for update. They will depend on your WSUS server.

        I have this doubt because if the user is not logging in to domain whether that GPO will exist in the computer or not.

     If the computer is not a member of domain , then GPO will get deleted . If it is a member of the domain , GPO stays intact.

     But to get patches from WSUS , the computer need to be in domain.,

    Regards,

    _Prashant_

     


    MCSA|MCITP SA|Microsoft Exchange 2003 Blog - http://prashant1987.wordpress.com Disclaimer: This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Thursday, September 13, 2012 11:31 AM
  • Hi,

     I have one more question.

      • Is there any way to set up an environment  like below?          
    •  Machines will get updates from WSUS server if they are in domain. If they are not in domain they need to get from microsoft directly.

    Regards,

    Rinku

    Thursday, September 13, 2012 12:34 PM
  • What do you mean by "If they are not in domain "?

    If you want that your clients update from MU, when they not in corporate network it can be done with script

    take a look at this thread

    http://social.technet.microsoft.com/Forums/en-US/winserverwsus/thread/a7eb5fd7-089f-45e7-9d50-591b724d27ae/


    Thursday, September 13, 2012 12:41 PM
  • Hi,

    "If they are not in domain "?  means If the machines are not connected to domain network or the users of the machines are logging in to the machines using local user account

    Regards,

    Rinku

    Friday, September 14, 2012 6:55 AM
  • If the computer is not a member of domain , then GPO will get deleted.

    Functionally true, but semantically inaccurate...

    If the computer is not a member of the domain and has never been a member of the domain, then the computer will never get the GPO and then, strictly speaking, there is no GPO to delete.

    If the computer is not a member of the domain, but was previously a member of the domain (after the GPO was created), then the computer did get the GPO and *NO* the impact of the GPO will NOT be undone. This is a very important consideration when configuring the WUAgent, and this behavior is different from how some pure policy based configurations are affected. In the case of the WUAgent, the GPO merely *sets* some registry values. The WUAgent then reads those registry values in order to determine it's configuration. If a WSUS client is removed from the domain the only thing that happens is that the GPO doesn't get applied anymore to "set" those values -- but there is nothing that "unsets" those values. Ergo, a very critical thing to note: When a WSUS client is removed from a domain -- it still continues to be a WSUS client *and* if that WSUS server is still accessible on the network to that non-domain client, it will continue to get updates from the WSUS server.

    Let's also make something very clear -- physically removing a machine from the office and taking it home does not remove that machine from the DOMAIN -- it only removes the machine from the OFFICE. Domain Membership is a logical attribute of a computer, not a physical attribute. Please do not confuse removing a machine from the domain with removing a machine from the NETWORK. I suspect in this discussion it is truly the latter (network) that you're concerned with, not the domain, but by mistating that qualification the conversation has provided some truly misleading information for your purpose.

    But to get patches from WSUS , the computer need to be in domain.

    WSUS is domain-agnostic. It does not know, nor does it care, about the presence of Active Directory. Group Policy is used merely as a tool to configure the WUAgent. Local Policy and REGEDIT can also be used for this purpose. In order to make a WSUS client not be a WSUS client it must be explicitly configured to not be a WSUS client (e.g. the registry value UseWUServer must be set to '0').

    A computer does *NOT* need to be in a domain to get patches from a WSUS server.


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Product Manager, SolarWinds
    Microsoft MVP - Software Distribution (2005-2012)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin


    Saturday, September 15, 2012 7:18 PM
    Moderator
  • If the computer is not a member of domain , then GPO will get deleted.

    Functionally true, but semantically inaccurate...

    If the computer is not a member of the domain and has never been a member of the domain, then the computer will never get the GPO and then, strictly speaking, there is no GPO to delete.

    You are right Lawrenece , I need to be careful with my words. I meant the same , but it might give some wrong impression to O.P,

    A computer does *NOT* need to be in a domain to get patches from a WSUS server.

     Agreed ,

       To get the patches from WSUS , Client should be able to contact WSUS server (Need to be in LAN Network where routing is enabled , so that it can contact the WSUS Server). If this met , Even If the Cleint is not in a domain, it will get the updates from wsus.

    Thanks,

    _Prashant_


    MCSA|MCITP SA|Microsoft Exchange 2003 Blog - http://prashant1987.wordpress.com Disclaimer: This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Monday, September 17, 2012 11:29 AM
  • Hi,

    "If they are not in domain "?  means If the machines are not connected to domain network or the users of the machines are logging in to the machines using local user account

    Regards,

    Rinku

    Rinku,

     It depends on the registry setting of the client side, As Lewrence said , If you have defined UseWUServer value to 1 , that means it will point to your WSUS server for updates. If it is not defined then you can use the Microsoft for updates.

    Registry : HKLM/Software/Policies/Microsoft/Windows/WindowsUpdate/AU.

    Thanks,

    _Prashant_


    MCSA|MCITP SA|Microsoft Exchange 2003 Blog - http://prashant1987.wordpress.com Disclaimer: This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Monday, September 17, 2012 11:39 AM
  • Hi All,

    If the user of the computer click on the below higlited link. Will they get updates if they are not in domain?

    If the answer is "yes". Can we set anything like below?

     The computer will automatically search for updates from microsoft(from online) directly if they are not receivng patches from WSUS server without manually clicking on the link mentioned above.

    Regards

    Midhun


    • Edited by Midhun_mtm Monday, September 17, 2012 3:13 PM
    Monday, September 17, 2012 12:27 PM
  • This will get failed , if the registry setting on client systems are pointing to your WSUS server (As discuessed earlier). 

    To get the updates from microsoft you need to change the registry settings and make UseWUServer value to 0.

    I have tested this in my lab environment , when I disabled the UseWUServer to 0 , it went to Microsoft and able to download the updates and installed the updates.

    Hope this helps 

    Regards,

    _Prashant_


    MCSA|MCITP SA|Microsoft Exchange 2003 Blog - http://prashant1987.wordpress.com Disclaimer: This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Friday, September 21, 2012 5:43 PM
  • If the user of the computer click on the below higlited link. Will they get updates if they are not in domain?

    Yes.

    If the answer is "yes". Can we set anything like below?

    The computer will automatically search for updates from microsoft(from online) directly if they are not receiving patches from WSUS server without manually clicking on the link mentioned above.

    No. And I think once you consider the true intent of WSUS and how that compares to how WU/MU works, you won't want it either. The purpose of WSUS is to allow an organization to choose which updates are deployed to a system, and more importantly, the opposite -- which updates are Not Deployed to a system. But the moment you allow a system to scan WU/MU, you loose that choice, and that system will get *ALL* current updates released by Microsoft.

    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Product Manager, SolarWinds
    Microsoft MVP - Software Distribution (2005-2012)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin

    Friday, September 21, 2012 10:46 PM
    Moderator
  • This will get failed , if the registry setting on client systems are pointing to your WSUS server

    I think it's important here to specify which part of the inquiry will fail, and which will not. On a machine configured to use a WSUS server, the user will always have access to the "Check online for updates from Windows Update" option, unless that option has been expressly blocked by policy. What fails is the idea of automatic fallback to using AU when the WSUS server is inaccessible, and in the previous reply I explained why this is not within the design specification of WSUS or the WUAgent.

    To get the updates from microsoft you need to change the registry settings and make UseWUServer value to 0.

    The key distinction on this point is that you need to do this to automatically get updates from WU/MU. As noted, a logged in user can always go to the WUApp and click on "Check online for updates from Windows Update" unless that option has been expressly blocked by policy.

    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Product Manager, SolarWinds
    Microsoft MVP - Software Distribution (2005-2012)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin

    Friday, September 21, 2012 10:51 PM
    Moderator