locked
WSUS-Client Side Targeting RRS feed

  • Question

  • In our organization, we have few computer groups (say - Server 2000, Sesrver 2003, Server 2008) and all server computers are grouped under each server groups. If I need to enable "client side targeting" Can I use semi-colon (;) to specify each group. Even if I specify those groups using semi-colon, how computers will be added to the respective groups in the WSUS servers. Can you advice pls.


    VT
    Wednesday, November 30, 2011 10:07 PM

Answers

  • Hi,

    Thank you for posting here.

    If you wanna enable the client-targeting feature,change the setting in Options | Computers to use GP or registry settings on computers, define the target group name in the GPO with semi-colon (;) ,and then create target group name in the WSUS computer groups. After a while, the computers will appear in the groups automatically.Remember that change membership option will be greyed-out when you enable client-targeting feature.

    With the "client side targeting"policy set to Enabled, the client will inform the WSUS Server what it's group membership(s) actually are.

    Best regards,

    Clarence


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    • Marked as answer by mywindows Friday, December 2, 2011 1:41 AM
    • Unmarked as answer by mywindows Sunday, December 4, 2011 8:07 PM
    • Marked as answer by Clarence Zhang Friday, December 9, 2011 1:38 AM
    Thursday, December 1, 2011 3:06 AM
  • If I need to enable "client side targeting" Can I use semi-colon (;) to specify each group.
    Yes, multiple group memberships are specified by listing them in the GPO setting as a semi-colon delimited list.
    Even if I specify those groups using semi-colon, how computers will be added to the respective groups in the WSUS servers.
    If you specify multiple groups, the computer(s) will appear in each group.
    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2011)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    My Blog: http://onsitechsolutions.spaces.live.com
    • Marked as answer by mywindows Friday, December 2, 2011 1:41 AM
    • Unmarked as answer by mywindows Sunday, December 4, 2011 8:07 PM
    • Marked as answer by Clarence Zhang Friday, December 9, 2011 1:38 AM
    Thursday, December 1, 2011 8:02 PM
  • Hi,

    But I can see both server 2003 computers (from that group) and Server 2008 computers (from that group) appears in both the group as opposed to be apearing in seperate group as it supposed to.

    You didn't understand the meaning of define the target group name in the GPO with semi-colon (;) .It doesn't mean to create the computers to the corresponding groups you created with semi-colon.It just create the computers in both groups as your description.

    As you mentioned above, to fulfill your target, you must do the 2 gpo separately for these 2 ous to enable client-side targeting exculsively.

     

    Best regards,

    Clarence


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Monday, December 5, 2011 3:00 AM
  • 2. Created GPO, enabled client side targeting, specified 2 OU names under "Target Group names for this computer", Linked & Enforced that same GPO to both the OU's.

    The GPO linked to the Win2003 orgUnit should specify the Win2003 Target Group.

    The GPO linked to the Win2008 orgUnit should specify the Win2008 Target Group.

    Perhaps a review of the following resources will be helpful:


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2011)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    My Blog: http://onsitechsolutions.spaces.live.com
    Monday, December 5, 2011 3:56 PM

All replies

  • Hi,

    Thank you for posting here.

    If you wanna enable the client-targeting feature,change the setting in Options | Computers to use GP or registry settings on computers, define the target group name in the GPO with semi-colon (;) ,and then create target group name in the WSUS computer groups. After a while, the computers will appear in the groups automatically.Remember that change membership option will be greyed-out when you enable client-targeting feature.

    With the "client side targeting"policy set to Enabled, the client will inform the WSUS Server what it's group membership(s) actually are.

    Best regards,

    Clarence


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    • Marked as answer by mywindows Friday, December 2, 2011 1:41 AM
    • Unmarked as answer by mywindows Sunday, December 4, 2011 8:07 PM
    • Marked as answer by Clarence Zhang Friday, December 9, 2011 1:38 AM
    Thursday, December 1, 2011 3:06 AM
  • If I need to enable "client side targeting" Can I use semi-colon (;) to specify each group.
    Yes, multiple group memberships are specified by listing them in the GPO setting as a semi-colon delimited list.
    Even if I specify those groups using semi-colon, how computers will be added to the respective groups in the WSUS servers.
    If you specify multiple groups, the computer(s) will appear in each group.
    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2011)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    My Blog: http://onsitechsolutions.spaces.live.com
    • Marked as answer by mywindows Friday, December 2, 2011 1:41 AM
    • Unmarked as answer by mywindows Sunday, December 4, 2011 8:07 PM
    • Marked as answer by Clarence Zhang Friday, December 9, 2011 1:38 AM
    Thursday, December 1, 2011 8:02 PM
  • Thanks guys for your post, I will try that.
    VT
    Friday, December 2, 2011 1:41 AM
  • I tried grouping computers, but didnt appear as I have grouped. Say for example....server 2003 computers will appear in Server 2003 group, Server 2008 will appear in Server 2008 group.

    I did enable the client side targeting option in GPO, did gpupdate in both side. But all I can see is all computers 2003 and 2008 both appearing in both groups (Server 2003 and 2008). Any solutions to fix that....please let me know....


    VT
    Sunday, December 4, 2011 8:01 PM
  • I did enable the client side targeting option in GPO, did gpupdate in both side. But all I can see is all computers 2003 and 2008 both appearing in both groups (Server 2003 and 2008). Any solutions to fix that....please let me know....

    Are the machines all in the same OrgUnit?

    The computer appears in whatever group(s) you configure it to be in. There no auto-detection by operating system. If you configured one GPO specifying both groups, and link it to one orgUnit containing both types of systems, then all systems in that orgUnit are going to appear in both WSUS Target Groups -- exactly as you configured it.


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2011)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    My Blog: http://onsitechsolutions.spaces.live.com
    Sunday, December 4, 2011 11:29 PM
  • Hi Lawrence.....thanks for the reply.

    Yes Server 2003 system objects are in OU Named Server 2003 & the same for Server 2008 as well. Steps I did is -
    1. created 2 OUs as mentioned.
    2. Created GPO, enabled client side targeting, specified 2 OU names under "Target Group names for this computer", Linked & Enforced that same GPO to both the OU's.
    3. Created the same name in WSUS as of the OU name, then ran gpupdate.....

    But I can see both server 2003 computers (from that group) and Server 2008 computers (from that group) appears in both the group as opposed to be apearing in seperate group as it supposed to.....Please let me know any suggestions.


    VT
    • Edited by mywindows Sunday, December 4, 2011 11:57 PM edited
    Sunday, December 4, 2011 11:49 PM
  • Hi,

    But I can see both server 2003 computers (from that group) and Server 2008 computers (from that group) appears in both the group as opposed to be apearing in seperate group as it supposed to.

    You didn't understand the meaning of define the target group name in the GPO with semi-colon (;) .It doesn't mean to create the computers to the corresponding groups you created with semi-colon.It just create the computers in both groups as your description.

    As you mentioned above, to fulfill your target, you must do the 2 gpo separately for these 2 ous to enable client-side targeting exculsively.

     

    Best regards,

    Clarence


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Monday, December 5, 2011 3:00 AM
  • 2. Created GPO, enabled client side targeting, specified 2 OU names under "Target Group names for this computer", Linked & Enforced that same GPO to both the OU's.

    The GPO linked to the Win2003 orgUnit should specify the Win2003 Target Group.

    The GPO linked to the Win2008 orgUnit should specify the Win2008 Target Group.

    Perhaps a review of the following resources will be helpful:


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2011)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    My Blog: http://onsitechsolutions.spaces.live.com
    Monday, December 5, 2011 3:56 PM
  • Hi,

    As this thread has been quiet for a while, we assume that the issue has been resolved. At this time, we will mark it as ‘Answered’ as the previous steps should be helpful for many similar scenarios.

    If the issue still persists and you want to return to this question, please reply this post directly so we will be notified to follow it up. You can also choose to unmark the answer as you wish.

    In addition, we’d love to hear your feedback about the solution. By sharing your experience you can help other community members facing similar problems.

    Thanks!


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Friday, December 9, 2011 1:38 AM
  • Hi there...I created to groups as mentioned Server 2008 (Server 2008 group) and Server 2003 (Server 2003 group). Computers appear in proper group as mentioned. I have questions, In the multiple group scenario like this where can we find the registry key for the 2 different group name. In the WSUS Server, I can find only Server 2008 group (Target Group) under Computer\HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate. Where can I find the second group server 2003. PLease let me know. If I can see them in the DC where can I find?
    VT
    Saturday, January 21, 2012 9:22 PM
  • Where can I find the second group server 2003.

    In the registry of a Windows Server 2003 system in the same value ... if you have properly configured and linked that GPO.

    If the registry value "TargetGroupName" is missing, that would suggest that your GPO is not properly linked to the orgUnit(s) containing the Windows Server 2003 systems.

    Run RSOP on a Win2003 system and confirm that the GPO that contains those settings has been seen, and applied, by that system.


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2012)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    Wednesday, January 25, 2012 3:14 AM
  • Thanks Lawrence for clarification as I read I was under impression that we can create one GPO for mutiple folders so servers will be pushd to different WSUS Groups seperatly and not dual membership. So you need one GPO per WSUS Group for Client side Targeting. I dont see reason for specifying multiple groups unless you want to apply configure "Option" seperatly  etc etc.

    Well my main question is how to check if my "WSUS server supports multiple target groups"?

    Please advice

    Regards

    Avinash


    Avinash S. ITIL,PMP

    Monday, July 2, 2012 9:35 PM
  • So you need one GPO per WSUS Group for Client side Targeting.

    No, you need one GPO per orgUnit! The GPO identifies multiple target groups in a semi-colon delimited list, and each member of that OU belongs to every one of the named groups.
    I dont see reason for specifying multiple groups
    Consider this scenario: I have four groups -- Desktops, WindowsXP, Windows7x86, Windows7x64. I approve Operating Systsem patches to one of the Windows* groups because those updates are applicable to only one platform each. But Office updates and other applications exist on all three platforms. Now, I could approve those updates for all three groups -- but let's hope I don't miss one! I prefer to approve application updates for one group: Desktops. So in this scenario, I have three orgUnits, and three GPOs. GPO #1 (Desktops; WindowsXP); GPO #2 (Desktops; Windows7x86); GPO #3 (Desktops; Windows7x64).
    Well my main question is how to check if my "WSUS server supports multiple target groups"?
    ALL WSUS v3 servers support multiple target groups.

    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Product Manager, SolarWinds
    Microsoft MVP - Software Distribution (2005-2012)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin

    Tuesday, July 3, 2012 12:09 AM
  • Thanks Lawrence,

    I really appreciates your detailed and quick reponse on this

    Regards

    Avinash


    Avinash S. ITIL,PMP

    Tuesday, July 3, 2012 3:47 PM
  • Hi Lawrence...another question I would like to check...is there a way we can update the 3rd party software updates...such as Adobe, Java...etc  through WSUS v3...I checked there are no options to do that...may be I would have missed it...can you please give me some input on that or any other solutions I can follow...hoping to hear from you....

    VT

    Thursday, July 5, 2012 4:51 PM
  • is there a way we can update the 3rd party software updates...such as Adobe, Java...etc  through WSUS v3
    You'll need a third-party add-on product to get this functionality. You have three options:

    Each product brings some very different capabilities to the table, so a thorough look at all three is the best approach.

    Note: I am a Product Manager for SolarWinds.


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Product Manager, SolarWinds
    Microsoft MVP - Software Distribution (2005-2012)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin

    Thursday, July 5, 2012 8:46 PM
  • Thanks Lawrence for those suggestions....is there a way I can contact you for solarwinds patch manager when we are ready....

    VT

    Friday, July 6, 2012 9:27 PM
  • Thanks Lawrence for those suggestions....is there a way I can contact you for solarwinds patch manager when we are ready....

    When you register and download the 30-day trial, a SolarWinds representative will contact you via email.

    You can also post in the SolarWinds Patch Manager forum on Thwack. I monitor that forum daily.


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Product Manager, SolarWinds
    Microsoft MVP - Software Distribution (2005-2012)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin

    Saturday, July 7, 2012 7:50 PM
  • Thanks Lawrence...I will, when we are ready for that...

    VT

    Sunday, July 15, 2012 12:35 AM
  • One more Further question.

    I have WSUS Configured for Client Side Targeting and everything works fine.Just want to confirm how WSUS will react in relation to GPO

    GPO is set with following

    Configure Automatic Updates Enabled with OPTION-3 Autodownload and Notify for Install

    Automatic update detection frequency disabled " default 22 hrs".

    Enable Client Side targeting

    1. So I am assuming that no updates will be pushed to clients until I go to WSUS server and approve certain updates? is this correct?
    2. On WSUS Server If I select and approve few updates on "Monday" ,select the WSUS computer groups and set Deadline as "Friday" Night When will patches downloaded to Clients?
    3. Does 22 hrs autoupdate policy initiate and download the updates before Friday as autodetection is set to 22 Hrs as default settings
    4. If I dont set any deadline ,Will updates gets dowbloaded immediatly after approval in WSUS server?

    Seperate question:

    If I have 100 servers in one Computer group but want to patch only 50 this time. Can I do this without moving these servers out of OU in AD ?


    Avinash S. ITIL,PMP

    Monday, July 16, 2012 9:13 PM
  • One more Further question.

    I have WSUS Configured for Client Side Targeting and everything works fine.Just want to confirm how WSUS will react in relation to GPO

    GPO is set with following

    Configure Automatic Updates Enabled with OPTION-3 Autodownload and Notify for Install

    Automatic update detection frequency disabled " default 22 hrs".

    Enable Client Side targeting

    1. So I am assuming that no updates will be pushed to clients until I go to WSUS server and approve certain updates? is this correct?
      --> Yes, if you have enabled client side targetting, you have to approve updates, so that updates will be pushed to client systems...
    2. On WSUS Server If I select and approve few updates on "Monday" ,select the WSUS computer groups and set Deadline as "Friday" Night When will patches downloaded to Clients?
      --> I am sure it will be downloaded (the user is not notified or interrupted during this process) to clients once you have approved and you can see the shield popup in the client computer as you have set the OPTION - 3.
    3. Does 22 hrs autoupdate policy initiate and download the updates before Friday as autodetection is set to 22 Hrs as default settings
      --> I guess, it will let clients to check for update every 22 hours as you have set...if you want on Friday...you should probably try - Option 4
    4. If I dont set any deadline ,Will updates gets dowbloaded immediatly after approval in WSUS server?
      --> updates will be downloaded once approved.....

    Seperate question:

    If I have 100 servers in one Computer group but want to patch only 50 this time. Can I do this without moving these servers out of OU in AD ?

    --> if you want updates for the specific computers / server - Once you click on the server / computer in the WSUS console..you can see the option called "UPdates Needed" in the status column and click open so that Reports for that computer will open and then you can scroll through the pages to approve updates for that particular server....

    But, I found --> Easier way to do it create 2 seperate groups and put those servers in each group as you prefer and then approve those updates so that it get to those servers in sepicified group...


    FYI - http://technet.microsoft.com/en-us/library/cc708574(WS.10).aspx

    Above mentioned worked for me....if anyone has any input...they can let know as well.....

    VT



    • Edited by mywindows Monday, July 16, 2012 9:56 PM
    Monday, July 16, 2012 9:54 PM
  • BTW...you should also watch the video by Lawrence in the link below regarding WSUS best practices - which will also be of good help....

    https://www.eminentware.com/cs2008/media/p/864.aspx


    VT

    Monday, July 16, 2012 10:02 PM
  • Thanks, But I am looking for confirmative answers

    Lawrence can you help with this?

    I have WSUS Configured for Client Side Targeting and everything works fine.Just want to confirm how WSUS will react in relation to GPO

    GPO is set with following

    Configure Automatic Updates Enabled with OPTION-3 Autodownload and Notify for Install

    Automatic update detection frequency disabled " default 22 hrs".

    Enable Client Side targeting

    1. So I am assuming that no updates will be pushed to clients until I go to WSUS server and approve certain updates? is this correct?
    2. On WSUS Server If I select and approve few updates on "Monday" ,select the WSUS computer groups and set Deadline as "Friday" Night When will patches downloaded to Clients?
    3. Does 22 hrs autoupdate policy initiate and download the updates before Friday as autodetection is set to 22 Hrs as default settings
    4. If I dont set any deadline ,Will updates gets dowbloaded immediatly after approval in WSUS server?

    Seperate question:

    If I have 100 servers in one Computer group but want to patch only 50 this time. Can I do this without moving these servers out of OU in AD ? I do not want to create mutiple WSUS groups and so OUs(& GPO)

    Please advice


    Avinash S. ITIL,PMP

    Tuesday, July 17, 2012 1:32 PM
  • FYI - http://technet.microsoft.com/en-us/library/cc708574(WS.10).aspx

    Above mentioned worked for me....if anyone has any input...they can let know as well.....
    The current version of that article (for WSUS v3 SP2) can be found at http://technet.microsoft.com/en-us/library/dd939933(v=ws.10).aspx.

    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Product Manager, SolarWinds
    Microsoft MVP - Software Distribution (2005-2012)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin

    Wednesday, July 18, 2012 5:19 PM
  • None of these questions have anything to do with whether you use client-side targeting, or not.
    So I am assuming that no updates will be pushed to clients until I go to WSUS server and approve certain updates?
    Correct. You have to approve updates.
    On WSUS Server If I select and approve few updates on "Monday", select the WSUS computer groups and set Deadline as "Friday" Night. When will patches downloaded to Clients?
    Sometime after you set the approvals on Monday.
    Does 22 hrs autoupdate policy initiate and download the updates before Friday
    If it doesn't, the client is broken.
    If I dont set any deadline ,Will updates gets dowbloaded immediatly after approval in WSUS server?
    Probably not immediately after, but shortly thereafter. When you approve the update in the WSUS console, then the WSUS server must download the installation files for that update. Depending on how many and what type of updates you approve, and how much available bandwidth you have, that could take some time. After the files are downloaded, and the client executes its next scheduled detection (which could be up to 22 hours later), and finds the update approved and the files available for download, it will download the updates.
    If I have 100 servers in one Computer group but want to patch only 50 this time. Can I do this without moving these servers out of OU in AD ?
    Yes, but it ain't easy. You'll need to create an Active Directory Security Group. Put one half of the servers in Group1 and the other half in Group 2. Create two WSUS Target Groups, one for SecGroup '1' and the other for SecGroup '2'. Then create two GPOs. Configure one GPO to assign members to WSUS Target Group '1' and the other GPO to assign members to WSUS Target Group '2'. Then use Active Directory Group Policy Security Filtering to apply the GPOs to the correct Security Groups. Discussing the details of how to use AD GPO Security Filtering is beyond the scope of this forum. For more information on that process, please inquire in the Active Directory and/or Group Policy forums.
    I do not want to create mutiple WSUS groups
    Not an option. At a minimum, separating whether patches are installed either requires managing approvals, or installing the updates interactively one machine at a time.
    and so OUs
    OrgUnits are a moot point, as a computer can only belong to one OrgUnit anyway.

    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Product Manager, SolarWinds
    Microsoft MVP - Software Distribution (2005-2012)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin

    Wednesday, July 18, 2012 5:30 PM
  • FYI - http://technet.microsoft.com/en-us/library/cc708574(WS.10).aspx

    Above mentioned worked for me....if anyone has any input...they can let know as well.....

    The current version of that article (for WSUS v3 SP2) can be found at http://technet.microsoft.com/en-us/library/dd939933(v=ws.10).aspx.

    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Product Manager, SolarWinds
    Microsoft MVP - Software Distribution (2005-2012)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin


    Thanks for the current version's link Lawrence...


    VT

    Wednesday, July 18, 2012 7:23 PM
  • Thanks Lawrence,

    I would like to share one method we tried to push the updates in controlled manner while maintaining small number of OUs',WSUS Groups and GPO.

    1. Set WSUS for Client side targetting and create OU's with GPO applied to it.Example One OU for NON-PROD Servers and 2nd OU for PROD Servers (ofcourse same two WSUS groups). Non-Prod OU has 500 Servers and Prod OU has 1000 Servers.
    2. Now I want to apply updates to only 100 servers in Non-prod OU in 1st   week and so on.
    3. Create a Batch Script to "stop" Windows update service on remaining 400 servers.
    4. Approve patches and it will be downloaded  to 100 servers only
    5. Once patching activity (usually we do per month) is done ,run script to stop Windows update service on those 100 servers. 

    Thanks for your help Lawrence and VT


    Avinash S. ITIL,PMP

    Thursday, July 19, 2012 7:18 PM
  • Create a Batch Script

    Anything is possible with a script!

    I was answering the question within the scope of the native behavior of WSUS. :-)

    But... since you're using a script... why waste the effort of managing service starts and stops -- just do the install!

    Configure all 500 servers with AUOption '3'. Let them download the updates and leave the updates sitting in the local cache.

    Run a script to launch the installation of those updates on whichever 100 servers you want to install that day.


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Product Manager, SolarWinds
    Microsoft MVP - Software Distribution (2005-2012)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin

    Friday, July 20, 2012 1:26 AM