Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Auto Updates Group Policy 2

Status
Not open for further replies.
mikehday

mikehday

MIS
Mar 28, 2003
116
US
I'm looking for a simple way to deploy security patches to servers. I created a couple of groups to turn auto updates on for 3PM the next day and then another group to turn the updates off once the patches are installed and the servers have rebooted automatically.

If I've all ready tested all the patches on some test servers and have determined they can be deployed to my develpment servers, or my QA and the next week to Production isn't this something that be easly achieved so I don't need to setup an SUS environment or use a SMS server?

I just setup the groups but don't see the policy going into effect after doing a gpupdate /force and gpresult.
 
Sort by date Sort by votes
personaly i would just set up wus and then set the gpo to deploy

it's simple , free and actually works ok
 
Upvote 0 Downvote
I thought WUS required clients installed on the computers(in my case servers). Can you give me a link so i can do further research? Also I don't have full domain privs on AD and would have to talk the AD administer into deploying this.
 
Upvote 0 Downvote
I agree that WSUS is the way to go here. You can configure it into as many groups, with just as many policies for download, installation and reboot times. You could setup your patch deployment phases for testing, dev and production as well.

Also, you don't necessarily need a seperate server for this as overhead is very low. It doesn't even need to be installed on a domain server, however it can still interact with policies and what not by using client based targeting. Shouldn't take more than a day to install and configure all your policies and groups.

Here's a link for to download the software as well as some step-by-step guides to installing and configuring.


I hope you find this post helpful,

Jonathan Almquist
Minneapolis, MN
 
Upvote 0 Downvote
By the way, there is no client. It is all configured with the native Windows update services properties, which can be controlled with group policy.

I hope you find this post helpful,

Jonathan Almquist
Minneapolis, MN
 
Upvote 0 Downvote
Ok ... you've convinced me. Time to check out WUS.

Thanks for the advice,
Mike
 
Upvote 0 Downvote
When using WSUS, you will typically want to configure a minimum of three GPOs per MS recommendations.

GPO1: All common settings (WSUS Server info)
GPO2: Automatic reboot policy for servers (set to no reboot)
GPO3: Automatic reboot policy for workstations (set to auto reboot)

Note: A fourth GPO is also recommended by MS for your test machines.

I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at
 
Upvote 0 Downvote
Yea ... now i remember why we didn't deploy this a long time ago. When it first came out it wouldn't work in my environment. I have Test, Dev, QA and Production deployment phases. It wouldn't work with all 4 groups ... i think i needed a different WUS server for each?

Now from your posts it looks like it should work just fine.

Thanks again for your advice.

Mike
 
Upvote 0 Downvote
Like I said before, you can setup as many seperate groups as you like. Each having it's own policies for scheduling installation and reboot times. I administer a hosting environment with multiple domains, each reporting back to a single WSUS server and having their own policies and schedules. Currently I have 28 groups configured, with just as many WSUS policies. So, yes...configuring 4 groups is possible!

I hope you find this post helpful,

Jonathan Almquist
Minneapolis, MN
 
Upvote 0 Downvote
I've got servers on two separate domains. Will I need 1 WUS server for each?
 
Upvote 0 Downvote
All you need is a single WSUS server. It's functionality doesn't directly rely on AD for it's services. Clients from multiple domains can check in with a single WSUS server, regardless of it's AD membership.

The policies are configured for each domain, which configure the windows update services properties for it's AD clients. The clients point to a WSUS server, which doesn't need to be in their domain. In fact, the WSUS server doesn't need to be a member of any domain because it serves independently.

I hope you find this post helpful,

Jonathan Almquist
Minneapolis, MN
 
Upvote 0 Downvote
I've got servers on two separate domains. Will I need 1 WUS server for each?
Click to expand...

To add on Jonathan's last post. Just make sure that DNS allows the machines to resolve the server name and you should be OK.

I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

rrmcguire
  • Locked
  • Question
group policy to set dns
Replies
2
Views
394
rrmcguire
rrmcguire
MoJHK
  • Locked
  • Question
Auto run the media player with the desired song after window reboot
Replies
3
Views
255
gbaughma
gbaughma
phil3000
  • Locked
  • Question
Screensaver Via Group Policy
Replies
1
Views
272
markdmac
markdmac
cabraun
  • Locked
  • Question
Group Policy Question (Set System Variable)
Replies
2
Views
211
markdmac
markdmac
usrinu
  • Locked
  • Question
applied wallpaper group policy
Replies
1
Views
201
SamBones
SamBones

Part and Inventory Search

Sponsor

Back
Top