> AndoIT wrote:
>> We currently use WSUS in a GPO/Script scenerio. We do this because we're
>> using it for servers and we will not always have the same window
>> (days/times) so using script is easier than modifying GPO's and or
>> Computer Groups.
>>
>> My question is, What would be the best settings to apply VIA GPO? and
>> What
>> should we script for the Server Clients?
Personally, if I was locked into using a Scripting scenario, I wouldn't
configure the WUAgent via policy at all. I'd use the script to start-up and
shutdown the Automatic Updates service, and I'd leave it in MANUAL/STOPPED
state the rest of the time.
On the other hand, I'm not a big fan of using/maintaining scripts, when the
product is perfectly capable of achieving the stated objectives without
scripts.
>> Currently we apply the following with GPO:
>> 1: Specify MS update servers
Uhmmm.... what do you mean by this? If you're using WSUS, why would you
specify a =Microsoft= update server? Did you mean "Specify the WSUS Server"?
>> 2: Reschedule AU Schedule installions
Kinda pointless if you're doing installs from a script. This option will
never be engaged since this option only applies to missed installations that
were =scheduled= for installation at the policy configured scheduled
installation event, and since you shouldn't be using scheduled
installations on servers, this entire option has pretty much zero relevance
to a server system.
>> 3: No Auto-Restart (w/ Users logged in) will this also not restart if
>> users are not logged in?
It doesn't Not Restart -- it simply presents the user with a more
controllable message that the system needs to restart. If a user is not
logged in, the restart occurs immediately. Of course, to my previous point,
you shouldn't be doing scheduled installations on a server, so this
configuration option really has no relevance either. If an administrator is
logged onto the system, installations shouldn't be happening unless that
administrator is actually performing those installations. And, if the
administrator is performing those installations, then the administrator
already has this right, regardless of how the policy setting is configured.
This setting is for non-admin users (on workstations). Non-admin users
should not be logged onto servers.
>> 4: AU Detection Frequency
Do you configure an alternate detection frequency with this policy, or did
you just enable the policy setting?
If you configured an alternate detection frequency -- What is it?, and Why
did you select that value?
>> We Currently Apply the following using VB script:
>> 1: Enable Target Groups (assign target groups
Really... why assign a *static* configuration setting by script when Policy
(which you're already using), can do exactly the same thing?
Actually, since you seem to only be using "Unassigned Computers", I'm not
sure why groups are of any relevance to you anyway.
>> 2: InstallDay
>> 3: InstallTime
These options are irrelevant, unless you're setting AUOptions=4, which you
should *never* do on a server.
>> 4. Enable WUServer
Same question as #1 -- why set this by a script when the value is, not only
static, but MUST be set to dword:0x1 to use a WSUS Server? There are no
legitimate circumstances in a WSUS environment for this value to ever
change.
>> 5. AUOptions (depending on what the servers owners want the behavior to
>> be)
This shouldn't be negotiable. It should be AUOptions=3. There's no value
(just waste of human time) in using AUOptions=2, and as noted previously,
servers should never be permitted to install updates unsupervised using
AUOptions-4.
If you're really committed to doing what the "server owners want".. then set
it to AUOptions=5, and let the server owners configure their own systems
from the Windows Update configuration dialog.
>> What we want to happen... We want all the servers within an OU to report
>> into WSUS to the Unassigned Computer Groups.
This is the default behavior. No action is necessary at all to achieve this
objective.
>> Then we konw we're going to
>> approve updates we want to use the scripts to apply the settings for the
>> windows.
Truly, I find myself wanting to ask WHY? I know you've stated you do this
because your maintenance windows shift... but if you're triggering
installations from a script based on when that maintenance window actually
is -- then the configuration settings for the WUAgent are irrelevant. Set
the AUOptions value to '3', let the content download as soon as available --
and install the updates in the window you need to install them using the
scripts.The 'scheduled installation' day/time is irrelevant in this
scenario. (BTW, you can also achieve this entire scenario by effective use
of installation deadlines.)
>> We've done this and were 90% sucessful but no all servers reported back
>> in to WSUS when we ran the scripts.
Sounds like there may be some flaws in the scripts.
--
Lawrence Garvin, M.S., MCITP:EA, MCDBA
Principal/CTO, Onsite Technology Solutions, Houston, Texas
Microsoft MVP - Software Distribution (2005-2009)
MS WSUS Website:
http://www.microsoft.com/wsus
My MVP Profile:
http://mvp.support.microsoft.com/pro...awrence.Garvin
Similar Threads
Linear Mode
