Use wsus 3.0 for reporting only Mark Quinn 5/30/2007 11:59:02 AM Hi, I am planning on using wsus 3.0 for remediation of missing patches on servers and I want to use wsus for reporting only. I have used wsus 2.0 for patching and it's worked fine, but I don't know which setting to use to get the client just to report back but not want to install. I also want a computer group that will install by default and have tried getting the registry entries working but the computers are not re-booting, here's what I'm using for registry settings Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\windows\WindowsUpdate] "WUServer"="http://servername" "WUStatusServer"="http://servername" "TargetGroupEnabled"=dword:00000001 "TargetGroup"="new comptuers" "ElevateNonAdmins"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\windows\WindowsUpdate\AU] "IncludeRecommendedUpdates"=dword:00000001 "UseWUServer"=dword:00000001 "NoAutoUpdate"=dword:00000000 "AUOptions"=dword:00000003 "ScheduledInstallDay"=dword:00000001 "ScheduledInstallTime"=dword:00000003 "AutoInstallMinorUpdates"=dword:00000001

Re: Use wsus 3.0 for reporting only "Lawrence Garvin \(MVP\)" <onsitech[ at ]community.nospam> 5/30/2007 2:45:59 PM "Mark Quinn" <Mark Quinn[ at ]discussions.microsoft.com> wrote in message news:FA0F601B-AEB1-4AEB-AE38-7FD1FD727B7B[ at ]microsoft.com... [Quoted Text] > I am planning on using wsus 3.0 for remediation of missing patches on > servers and I want to use wsus for reporting only. I have used wsus 2.0 > for > patching and it's worked fine, > but I don't know which setting to use to get > the client just to report back but not want to install. That's not a feature set of WSUS. WSUS is designed to distribute updates, primarily. Reporting is a natural extension to that function. The best you can hope for is leaving *everything* on the WSUS server marked as "Not Approved". Because WSUS 3 is auto-configured for "Detect Only" all clients will report updates that are "Needed". You'll still have to get those updates installed, somehow, and that's the part that's boggling my mind. Why would you not also use WSUS to do that? > I also want a computer group that will install by default The way to do this is configure an Auto-Approval rule in WSUS v3 that auto approves all updates for the specified target group. > Windows Registry Editor Version 5.00 > > [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\windows\WindowsUpdate] > "WUServer"="http://servername" > "WUStatusServer"="http://servername" > "TargetGroupEnabled"=dword:00000001 > "TargetGroup"="new comptuers" > "ElevateNonAdmins"=dword:00000001 If you're specifically looking for a scenario to assist in immediate updating of newly deployed systems, take a look at this article that describes a methodology I designed/used to update an XP SP1 system to fully post-SP2 patched. The whole process took only a few hours. How long does it take to fully update a Windows XP SP1 system? http://wsusinfo.onsitechsolutions.com/articles/012.htm > [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\windows\WindowsUpdate\AU] > "IncludeRecommendedUpdates"=dword:00000001 This is an undocumented registry value for this key. Do you have a reference where you obtained information on this value? > "AUOptions"=dword:00000003 Also, be aware that this setting will require a human being to initiate the installation of updates. > "ScheduledInstallDay"=dword:00000001 > "ScheduledInstallTime"=dword:00000003 And, with AUOptions=dword:0x3, these two settings are ignored. -- Lawrence Garvin, M.S., MCTS, MCP Independent WSUS Evangelist MVP-Software Distribution (2005-2007) https://mvp.support.microsoft.com/profile=30E00990-8F1D-4774-BD62-D095EB07B36E Everything you need for WSUS is at http://technet2.microsoft.com/windowsserver/en/technologies/featured/wsus/default.mspx And, almost everything else is at http://wsusinfo.onsitechsolutions.com .....

Re: Use wsus 3.0 for reporting only Mark Quinn 5/30/2007 4:23:03 PM Hi Lawrence, We actually use sms for the patching (sms 3.0) and the reason that I want to use it to detect is to give it to the sms team for them to patch. I got the key by using gpedit and creating a reg file from the registry, this is off of a windows 2003 sp2 server. I was kind of suprised myself I hadn't ever seen that setting before. Do you think that they will put the detect only back into wsus 3.0? if not I will probably stick with 2.0 as it gives that flexibility. would you mind if I ask what the registry settings would be for an immediate installation? I just want to compare my settings. "Lawrence Garvin (MVP)" wrote: [Quoted Text] > "Mark Quinn" <Mark Quinn[ at ]discussions.microsoft.com> wrote in message > news:FA0F601B-AEB1-4AEB-AE38-7FD1FD727B7B[ at ]microsoft.com... > > > I am planning on using wsus 3.0 for remediation of missing patches on > > servers and I want to use wsus for reporting only. I have used wsus 2.0 > > for > > patching and it's worked fine, > > > but I don't know which setting to use to get > > the client just to report back but not want to install. > > That's not a feature set of WSUS. WSUS is designed to distribute updates, > primarily. Reporting is a natural extension to that function. > > The best you can hope for is leaving *everything* on the WSUS server marked > as "Not Approved". Because WSUS 3 is auto-configured for "Detect Only" all > clients will report updates that are "Needed". You'll still have to get > those updates installed, somehow, and that's the part that's boggling my > mind. Why would you not also use WSUS to do that? > > > I also want a computer group that will install by default > > The way to do this is configure an Auto-Approval rule in WSUS v3 that auto > approves all updates for the specified target group. > > > Windows Registry Editor Version 5.00 > > > > [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\windows\WindowsUpdate] > > "WUServer"="http://servername" > > "WUStatusServer"="http://servername" > > "TargetGroupEnabled"=dword:00000001 > > "TargetGroup"="new comptuers" > > "ElevateNonAdmins"=dword:00000001 > > If you're specifically looking for a scenario to assist in immediate > updating of newly deployed systems, take a look at this article that > describes a methodology I designed/used to update an XP SP1 system to fully > post-SP2 patched. The whole process took only a few hours. > > How long does it take to fully update a Windows XP SP1 system? > http://wsusinfo.onsitechsolutions.com/articles/012.htm > > > [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\windows\WindowsUpdate\AU] > > "IncludeRecommendedUpdates"=dword:00000001 > > This is an undocumented registry value for this key. Do you have a reference > where you obtained information on this value? > > > "AUOptions"=dword:00000003 > > Also, be aware that this setting will require a human being to initiate the > installation of updates. > > > "ScheduledInstallDay"=dword:00000001 > > "ScheduledInstallTime"=dword:00000003 > > And, with AUOptions=dword:0x3, these two settings are ignored. > > -- > Lawrence Garvin, M.S., MCTS, MCP > Independent WSUS Evangelist > MVP-Software Distribution (2005-2007) > https://mvp.support.microsoft.com/profile=30E00990-8F1D-4774-BD62-D095EB07B36E > > Everything you need for WSUS is at > http://technet2.microsoft.com/windowsserver/en/technologies/featured/wsus/default.mspx > > And, almost everything else is at > http://wsusinfo.onsitechsolutions.com > ..... > > >

Re: Use wsus 3.0 for reporting only "Lawrence Garvin \(MVP\)" <onsitech[ at ]community.nospam> 5/30/2007 5:06:58 PM "Mark Quinn" <MarkQuinn[ at ]discussions.microsoft.com> wrote in message news:89943BB7-6C2B-4D0B-9036-715D3496B797[ at ]microsoft.com... [Quoted Text] > We actually use sms for the patching (sms 3.0) and the reason that I want > to > use it to detect is to give it to the sms team for them to patch. Why not use the detection engine built into SMS2003? Also, you're SMS guys will want to pay close attention to System Center Configuration Manager 2007, which essentially uses the WSUS engine to detect required updates. >> > "IncludeRecommendedUpdates"=dword:00000001 > I got the > key by using gpedit and creating a reg file from the registry, this is off > of > a windows 2003 sp2 server. > I was kind of suprised myself I hadn't ever seen that setting before. I'll check into this. It could be a key introduced by Service Pack 2, but I don't know why the Windows people would be mucking with the WUA/WSUS policy keys. It's definitely not documented in the WSUS 3.0 Deployment Guide. > Do you > think that they will put the detect only back into wsus 3.0? No. > if not I will > probably stick with 2.0 as it gives that flexibility. Until your SMS guys decide to upgrade to SCCM2007. :-) > would you mind if I ask what the registry settings would be for an > immediate > installation? I just want to compare my settings. An "immediate installation" isn't really as much a factor of registry settings as it is creating deadlined approvals in a special target group and configuring AD to auto-join new systems into that OU. All of which are outlined in the cited article. The only registry setting of significance is reducing the detection interval to 1 hour in that custom target group. -- Lawrence Garvin, M.S., MCTS, MCP Independent WSUS Evangelist MVP-Software Distribution (2005-2007) https://mvp.support.microsoft.com/profile=30E00990-8F1D-4774-BD62-D095EB07B36E Everything you need for WSUS is at http://technet2.microsoft.com/windowsserver/en/technologies/featured/wsus/default.mspx And, almost everything else is at http://wsusinfo.onsitechsolutions.com .....

Re: Use wsus 3.0 for reporting only Mark Quinn 5/30/2007 5:19:00 PM Hi Lawrence, I'm not sure of the detection engine, the area that does the patching is different from ours (we just build / depoloy / support the servers) this is more of a check to make sure that the appropriate patches are deployed because there are always some that are missed by sms (for some reason). I appreciate the help. Thanks "Lawrence Garvin (MVP)" wrote: [Quoted Text] > "Mark Quinn" <MarkQuinn[ at ]discussions.microsoft.com> wrote in message > news:89943BB7-6C2B-4D0B-9036-715D3496B797[ at ]microsoft.com... > > > We actually use sms for the patching (sms 3.0) and the reason that I want > > to > > use it to detect is to give it to the sms team for them to patch. > > Why not use the detection engine built into SMS2003? > > Also, you're SMS guys will want to pay close attention to System Center > Configuration Manager 2007, which essentially uses the WSUS engine to detect > required updates. > > >> > "IncludeRecommendedUpdates"=dword:00000001 > > > I got the > > key by using gpedit and creating a reg file from the registry, this is off > > of > > a windows 2003 sp2 server. > > I was kind of suprised myself I hadn't ever seen that setting before. > > I'll check into this. It could be a key introduced by Service Pack 2, but I > don't know why the Windows people would be mucking with the WUA/WSUS policy > keys. It's definitely not documented in the WSUS 3.0 Deployment Guide. > > > Do you > > think that they will put the detect only back into wsus 3.0? > > No. > > > if not I will > > probably stick with 2.0 as it gives that flexibility. > > Until your SMS guys decide to upgrade to SCCM2007. :-) > > > would you mind if I ask what the registry settings would be for an > > immediate > > installation? I just want to compare my settings. > > An "immediate installation" isn't really as much a factor of registry > settings as it is creating deadlined approvals in a special target group and > configuring AD to auto-join new systems into that OU. All of which are > outlined in the cited article. > > The only registry setting of significance is reducing the detection interval > to 1 hour in that custom target group. > > -- > Lawrence Garvin, M.S., MCTS, MCP > Independent WSUS Evangelist > MVP-Software Distribution (2005-2007) > https://mvp.support.microsoft.com/profile=30E00990-8F1D-4774-BD62-D095EB07B36E > > Everything you need for WSUS is at > http://technet2.microsoft.com/windowsserver/en/technologies/featured/wsus/default.mspx > > And, almost everything else is at > http://wsusinfo.onsitechsolutions.com > ..... > > >

Re: Use wsus 3.0 for reporting only Harry Johnston <harry[ at ]scms.waikato.ac.nz> 5/30/2007 6:55:14 PM Mark Quinn wrote: [Quoted Text] > I am planning on using wsus 3.0 for remediation of missing patches on > servers and I want to use wsus for reporting only. I have used wsus 2.0 for > patching and it's worked fine, but I don't know which setting to use to get > the client just to report back but not want to install. If the client's automatic update agent is configured to "notify but not download or install" I suspect that this will do what you want. Harry.

Re: Use wsus 3.0 for reporting only DaveMills <DaveMills[ at ]newsgroup.nospam> 5/30/2007 8:00:03 PM On Wed, 30 May 2007 09:23:03 -0700, Mark Quinn <MarkQuinn[ at ]discussions.microsoft.com> wrote: [Quoted Text] >Hi Lawrence, > >We actually use sms for the patching (sms 3.0) and the reason that I want to >use it to detect is to give it to the sms team for them to patch. I got the >key by using gpedit and creating a reg file from the registry, this is off of >a windows 2003 sp2 server. > >I was kind of suprised myself I hadn't ever seen that setting before. Do you >think that they will put the detect only back into wsus 3.0? if not I will >probably stick with 2.0 as it gives that flexibility. WSUS 3.0 has a detect only, it is the default and the difference from WSUS 2 is that 3 lack the "approve for detect" since it is always on. > >would you mind if I ask what the registry settings would be for an immediate >installation? I just want to compare my settings. There is no such setting. The only way is to set an expired deadline on the update. > >"Lawrence Garvin (MVP)" wrote: > >> "Mark Quinn" <Mark Quinn[ at ]discussions.microsoft.com> wrote in message >> news:FA0F601B-AEB1-4AEB-AE38-7FD1FD727B7B[ at ]microsoft.com... >> >> > I am planning on using wsus 3.0 for remediation of missing patches on >> > servers and I want to use wsus for reporting only. I have used wsus 2.0 >> > for >> > patching and it's worked fine, >> >> > but I don't know which setting to use to get >> > the client just to report back but not want to install. >> >> That's not a feature set of WSUS. WSUS is designed to distribute updates, >> primarily. Reporting is a natural extension to that function. >> >> The best you can hope for is leaving *everything* on the WSUS server marked >> as "Not Approved". Because WSUS 3 is auto-configured for "Detect Only" all >> clients will report updates that are "Needed". You'll still have to get >> those updates installed, somehow, and that's the part that's boggling my >> mind. Why would you not also use WSUS to do that? >> >> > I also want a computer group that will install by default >> >> The way to do this is configure an Auto-Approval rule in WSUS v3 that auto >> approves all updates for the specified target group. >> >> > Windows Registry Editor Version 5.00 >> > >> > [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\windows\WindowsUpdate] >> > "WUServer"="http://servername" >> > "WUStatusServer"="http://servername" >> > "TargetGroupEnabled"=dword:00000001 >> > "TargetGroup"="new comptuers" >> > "ElevateNonAdmins"=dword:00000001 >> >> If you're specifically looking for a scenario to assist in immediate >> updating of newly deployed systems, take a look at this article that >> describes a methodology I designed/used to update an XP SP1 system to fully >> post-SP2 patched. The whole process took only a few hours. >> >> How long does it take to fully update a Windows XP SP1 system? >> http://wsusinfo.onsitechsolutions.com/articles/012.htm >> >> > [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\windows\WindowsUpdate\AU] >> > "IncludeRecommendedUpdates"=dword:00000001 >> >> This is an undocumented registry value for this key. Do you have a reference >> where you obtained information on this value? >> >> > "AUOptions"=dword:00000003 >> >> Also, be aware that this setting will require a human being to initiate the >> installation of updates. >> >> > "ScheduledInstallDay"=dword:00000001 >> > "ScheduledInstallTime"=dword:00000003 >> >> And, with AUOptions=dword:0x3, these two settings are ignored. >> >> -- >> Lawrence Garvin, M.S., MCTS, MCP >> Independent WSUS Evangelist >> MVP-Software Distribution (2005-2007) >> https://mvp.support.microsoft.com/profile=30E00990-8F1D-4774-BD62-D095EB07B36E >> >> Everything you need for WSUS is at >> http://technet2.microsoft.com/windowsserver/en/technologies/featured/wsus/default.mspx >> >> And, almost everything else is at >> http://wsusinfo.onsitechsolutions.com >> ..... >> >> >> -- Dave Mills There are 10 type of people, those that understand binary and those that don't.