WSUS Policy being removed

In the past I have thought that the settings on the client for the WSUS server
remained when a GPO no longer applies to the client. This is not happening now,
when the GPO making the settings for WSUS (server, update time etc.) is no
longer applied to a client the client reverts to using Microsoft as the AU
server.

Is my memory failing or has this changed recently?
I am using WSUS 3 SP2
--
Dave Mills
There are 10 types of people, those that understand binary and those that don't.

"Dave Mills" <> wrote in message
news:...
> In the past I have thought that the settings on the client for the WSUS
> server
> remained when a GPO no longer applies to the client. This is not happening
> now,
> when the GPO making the settings for WSUS (server, update time etc.) is no
> longer applied to a client the client reverts to using Microsoft as the AU
> server.
>
> Is my memory failing or has this changed recently?
> I am using WSUS 3 SP2

This has not changed, to my knowledge.

However if there's an existing policy with a lower application priority with
AU disabled, moving a client out of an OU or unlinking a GPO could cause a
policy at any other level (Local, Site, Domain) to become "in force".

I'd run RSOP on the client and see where it's getting the UseWUSerer config
value from. (i.e. "Specify intranet Microsoft update services location" is
disabled).


--
Lawrence Garvin, M.S., MCITP:EA, MCDBA
Principal/CTO, Onsite Technology Solutions, Houston, Texas
Microsoft MVP - Software Distribution (2005-2009)

My Blog: http://onsitechsolutions.spaces.live.com
Microsoft WSUS Website: http://www.microsoft.com/wsus
My MVP Profile: http://mvp.support.microsoft.com/pro...awrence.Garvin

On Thu, 5 Nov 2009 07:50:34 -0600, "Lawrence Garvin [MVP]"
<> wrote:

>"Dave Mills" <> wrote in message
>news:.. .
>> In the past I have thought that the settings on the client for the WSUS
>> server
>> remained when a GPO no longer applies to the client. This is not happening
>> now,
>> when the GPO making the settings for WSUS (server, update time etc.) is no
>> longer applied to a client the client reverts to using Microsoft as the AU
>> server.
>>
>> Is my memory failing or has this changed recently?
>> I am using WSUS 3 SP2
>
>This has not changed, to my knowledge.
>
>However if there's an existing policy with a lower application priority with
>AU disabled, moving a client out of an OU or unlinking a GPO could cause a
>policy at any other level (Local, Site, Domain) to become "in force".
>
>I'd run RSOP on the client and see where it's getting the UseWUSerer config
>value from. (i.e. "Specify intranet Microsoft update services location" is
>disabled).

Thanks for confirming my memory is not at fault :-)

I simply moved the PC to the default "computers" container. There are just 4
GPOs applied at the domain level and none touch the WSUS settings, there are no
Site GPOs. As soon as the PC is rebooted I start getting the Yellow Shield
prompting to set up Auto Update.

The WSUS setup was done more than 2 years ago and I have not needed to make any
change to its design since the begriming. The only significant change was the
installation of WSUS SP2 a couple of weeks ago (installed over SP1). I do not
move PCs out of the WSUS scope very often so was somewhat surprised when I
stumbled across this on Wednesday.

If this has been changed then I am pleased as this would make the behavior
consistent with normal GPO behavior, i.e. the policy settings are removed when
the policy no longer applies. I could leave the domain but that would also
remove the "managed computer" status which could require a full re-deployment to
fix.

Pinning this down could become quite a lengthy process so I was hoping somebody
else might test for this behavior by denying the WSUS GPO settings to an
existing PC to see if the same thing happens to them in a WSUS SP2 setup.
--
Dave Mills
There are 10 types of people, those that understand binary and those that don't.

Dave Mills wrote:

> I simply moved the PC to the default "computers" container. There are just 4
> GPOs applied at the domain level and none touch the WSUS settings, there are no
> Site GPOs.

Did you check the local GPO on the machine itself?

> Pinning this down could become quite a lengthy process so I was hoping somebody
> else might test for this behavior by denying the WSUS GPO settings to an
> existing PC to see if the same thing happens to them in a WSUS SP2 setup.

Time permitting, I'll try this on Monday.

Harry.

On Sat, 07 Nov 2009 20:51:45 +1300, "Harry Johnston [MVP]"
<> wrote:

>Dave Mills wrote:
>
>> I simply moved the PC to the default "computers" container. There are just 4
>> GPOs applied at the domain level and none touch the WSUS settings, there are no
>> Site GPOs.
>
>Did you check the local GPO on the machine itself?
No, I never use it in an AD domain environment and this has been seen on two PC
so far. One, a laptop, that I first noticed this on and the second a test PC we
install from an image whenever we need to set things up. Beside if I install an
image and join the domain. WSUS gets set up by the domain/newbuilds GPO. Moving
the PC to the Computers container never used to un-configure WSUS but it is
doing so now.

>
>> Pinning this down could become quite a lengthy process so I was hoping somebody
>> else might test for this behavior by denying the WSUS GPO settings to an
>> existing PC to see if the same thing happens to them in a WSUS SP2 setup.
>
>Time permitting, I'll try this on Monday.
>
> Harry.
--
Dave Mills
There are 10 types of people, those that understand binary and those that don't.

Dave Mills wrote:

> Pinning this down could become quite a lengthy process so I was hoping somebody
> else might test for this behavior by denying the WSUS GPO settings to an
> existing PC to see if the same thing happens to them in a WSUS SP2 setup.

I can confirm the same behaviour here. When group policy was removed, the
previous settings (from the AU control panel) were restored.

Harry.

I wrote:

>> Pinning this down could become quite a lengthy process so I was hoping
>> somebody
>> else might test for this behavior by denying the WSUS GPO settings to an
>> existing PC to see if the same thing happens to them in a WSUS SP2 setup.
>
> I can confirm the same behaviour here. When group policy was removed,
> the previous settings (from the AU control panel) were restored.

... but I can't reproduce what I thought the previous behaviour was. Windows
XP SP2, no updated WUA, no updates of any kind, and the darn thing still reverts
to the previous settings when the group policy is removed.

Odd.

Harry.

On Mon, 09 Nov 2009 19:05:26 +1300, "Harry Johnston [MVP]"
<> wrote:

>I wrote:
>
>>> Pinning this down could become quite a lengthy process so I was hoping
>>> somebody
>>> else might test for this behavior by denying the WSUS GPO settings to an
>>> existing PC to see if the same thing happens to them in a WSUS SP2 setup.
>>
>> I can confirm the same behaviour here. When group policy was removed,
>> the previous settings (from the AU control panel) were restored.
>
> ... but I can't reproduce what I thought the previous behaviour was. Windows
>XP SP2, no updated WUA, no updates of any kind, and the darn thing still reverts
>to the previous settings when the group policy is removed.
>
>Odd.
Thanks for confirming this Harry. I wonder where the accepted wisdom came from
then. Has the been changed for a long time and nobody has noticed?

Still I prefer this as it conforms to expected behaviour for group policy.
>
> Harry.
--
Dave Mills
There are 10 types of people, those that understand binary and those that don't.

"Harry Johnston [MVP]" <> wrote in message
news:...

> I can confirm the same behaviour here. When group policy was removed, the
> previous settings (from the AU control panel) were restored.

This is definitely *new* behavior.


--
Lawrence Garvin, M.S., MCITP:EA, MCDBA
Principal/CTO, Onsite Technology Solutions, Houston, Texas
Microsoft MVP - Software Distribution (2005-2009)

My Blog: http://onsitechsolutions.spaces.live.com
Microsoft WSUS Website: http://www.microsoft.com/wsus
My MVP Profile: http://mvp.support.microsoft.com/pro...awrence.Garvin

"Harry Johnston [MVP]" <> wrote in message
news:%...

> ... but I can't reproduce what I thought the previous behaviour was.
> Windows XP SP2, no updated WUA, no updates of any kind, and the darn thing
> still reverts to the previous settings when the group policy is removed.

That is wierd... because on numerous occasions I've observed registry values
"left over" from policy settings changed back to "Not Configured".

And, maybe this has to with the difference between *removing* the poicy, and
simply reconfiguring a setting within an existing policy.



--
Lawrence Garvin, M.S., MCITP:EA, MCDBA
Principal/CTO, Onsite Technology Solutions, Houston, Texas
Microsoft MVP - Software Distribution (2005-2009)

My Blog: http://onsitechsolutions.spaces.live.com
Microsoft WSUS Website: http://www.microsoft.com/wsus
My MVP Profile: http://mvp.support.microsoft.com/pro...awrence.Garvin