|
|
Hello all
WSUS 3.0 sp1 server is running on windows 2008. The AD domain is Windows
2003 sp2 native mode. I want to use client side targeting using gpo's. How
should i configure my policy settings that will allow only *approved*
updates to be automatically installed on a group of computers or have the
ability to install an update on specific computer in a group vs deploying
the update to the entire group?
Basically what i need is... updates are automatically downloaded to the WSUS
server, I then want to manually pick the update that i want pushed out to a
group of servers or specific servers in a group. Once the update gets
installed, i must have the ability to control the restart
Many thanks for all your help, its been invaluable!
|
|
"skip" <shofmann[ at ]kbb.com> wrote in message
news:6B1E3300-20DF-416E-9411-894F502C26D0[ at ]microsoft.com...
[Quoted Text] > Hello all
>
> WSUS 3.0 sp1 server is running on windows 2008. The AD domain is Windows
> 2003 sp2 native mode. I want to use client side targeting using gpo's. How
> should i configure my policy settings that will allow only *approved*
> updates to be automatically installed on a group of computers or have the
> ability to install an update on specific computer in a group vs deploying
> the update to the entire group?
>
> Basically what i need is... updates are automatically downloaded to the
> WSUS server, I then want to manually pick the update that i want pushed
> out to a group of servers or specific servers in a group.
This is the *normal* operation of WSUS.
> Once the update gets installed, i must have the ability to control the
> restart
This is not an option in WSUS.
> Many thanks for all your help, its been invaluable!
Skip... based on the questions you've been asking, I must ask: Have you read
any of the supplied documentation with WSUS? Many of the questions you've
posted involve basic, normal operation of WSUS.
--
Lawrence Garvin, M.S., MCITP(x2), MCTS(x5), MCP(x7), MCBMSP
Principal/CTO, Onsite Technology Solutions, Houston, Texas
Microsoft MVP - Software Distribution (2005-2009)
MS WSUS Website: http://www.microsoft.com/wsus
My Websites: http://www.onsitechsolutions.com;
http://wsusinfo.onsitechsolutions.com
My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
|
|
On Wed, 10 Dec 2008 22:36:00 -0600, "Lawrence Garvin \(MVP\)"
<lawrence[ at ]news.postalias> wrote:
[Quoted Text] >"skip" <shofmann[ at ]kbb.com> wrote in message
>news:6B1E3300-20DF-416E-9411-894F502C26D0[ at ]microsoft.com...
>> Hello all
>>
>> WSUS 3.0 sp1 server is running on windows 2008. The AD domain is Windows
>> 2003 sp2 native mode. I want to use client side targeting using gpo's. How
>> should i configure my policy settings that will allow only *approved*
>> updates to be automatically installed on a group of computers or have the
>> ability to install an update on specific computer in a group vs deploying
>> the update to the entire group?
>>
>> Basically what i need is... updates are automatically downloaded to the
>> WSUS server, I then want to manually pick the update that i want pushed
>> out to a group of servers or specific servers in a group.
>
>This is the *normal* operation of WSUS.
>
>> Once the update gets installed, i must have the ability to control the
>> restart
>
>This is not an option in WSUS.
But you can get the updates to download and then control the Install+Reboot.
Delaying the reboot after half installing the updates is not sensible. Apart
from the first round of updates it seldom takes more than a minute or two to
install the update. Usually less time than the hardware takes to set up the raid
etc. takes during the reboot.
>
>> Many thanks for all your help, its been invaluable!
>
>Skip... based on the questions you've been asking, I must ask: Have you read
>any of the supplied documentation with WSUS? Many of the questions you've
>posted involve basic, normal operation of WSUS.
--
Dave Mills
There are 10 types of people, those that understand binary and those that don't.
|
|
Yea i know, i am currently reading the deploy guide, but i like to get real
word experience from experts like you.
So if a patch gets installed and it requires a reboot, there is no option in
WSUS to stop a reboot from happening? this will present a problem for us,
because we need not only need to schedule patch installations but we also
must control/schedule the rebooting of the servers.
Sorry again for asking redunant questions, I am currently going through the
guide
"Lawrence Garvin (MVP)" <lawrence[ at ]news.postalias> wrote in message
news:OffK5n0WJHA.1444[ at ]TK2MSFTNGP02.phx.gbl...
[Quoted Text] > "skip" <shofmann[ at ]kbb.com> wrote in message > news:6B1E3300-20DF-416E-9411-894F502C26D0[ at ]microsoft.com... >> Hello all >> >> WSUS 3.0 sp1 server is running on windows 2008. The AD domain is Windows >> 2003 sp2 native mode. I want to use client side targeting using gpo's. >> How should i configure my policy settings that will allow only *approved* >> updates to be automatically installed on a group of computers or have the >> ability to install an update on specific computer in a group vs deploying >> the update to the entire group? >> >> Basically what i need is... updates are automatically downloaded to the >> WSUS server, I then want to manually pick the update that i want pushed >> out to a group of servers or specific servers in a group. > > This is the *normal* operation of WSUS. > >> Once the update gets installed, i must have the ability to control the >> restart > > This is not an option in WSUS. > >> Many thanks for all your help, its been invaluable! > > Skip... based on the questions you've been asking, I must ask: Have you > read any of the supplied documentation with WSUS? Many of the questions > you've posted involve basic, normal operation of WSUS. > > > -- > Lawrence Garvin, M.S., MCITP(x2), MCTS(x5), MCP(x7), MCBMSP > Principal/CTO, Onsite Technology Solutions, Houston, Texas > Microsoft MVP - Software Distribution (2005-2009) > > MS WSUS Website: http://www.microsoft.com/wsus> My Websites: http://www.onsitechsolutions.com;> http://wsusinfo.onsitechsolutions.com> My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin>
|
|
"skip" <shofmann[ at ]kbb.com> wrote in message
news:1BF38B07-46F2-475E-BA4E-D81B4AC58A80[ at ]microsoft.com...
[Quoted Text] > Yea i know, i am currently reading the deploy guide, but i like to get
> real word experience from experts like you.
Just remember.. I'm doing this for free, on my own time, so at some point
when it's easier for you to read the actual answer than it is for me to type
the answer, I'm going to simply point you to the documentation.
If there's something "real world" that's not in the documentation, I'll be
happy to chat with you ad infinitum about such topics.
> So if a patch gets installed and it requires a reboot, there is no option
> in WSUS to stop a reboot from happening?
There is an option to *delay* the reboot ... but not to prevent it.
> this will present a problem for us, because we need not only need to
> schedule patch installations but we also must control/schedule the
> rebooting of the servers.
There are dozens of options for this behavior and they've been discussed ad
infinitum in this newsgroup and in the forums over the past three years. My
best recommendation is to research the archives of this newsgroup.
In short, you can schedule the patch installations, but you should schedule
them when you can reboot the servers.
Note: The requirements of patching Windows operating systems are not new
with WSUS, and functionally have not changed in the past ten years. Frankly,
I'm continually surprised at organizations that have not yet dealt with
issues of how to manage installation of updates to their servers in a
controlled fashion.
Whether the tool is WSUS, Microsoft Update, AU, Shavlik, or any one of a
dozen others, the question has always existed = and the core bottleneck is
that =WINDOWS= requires a machine to be rebooted after an update to the
Operating System is applied. That's not likely to change in the near future
(despite the continuing unfulfilled promises from the Windows Product Group
that it will).
--
Lawrence Garvin, M.S., MCITP(x2), MCTS(x5), MCP(x7), MCBMSP
Principal/CTO, Onsite Technology Solutions, Houston, Texas
Microsoft MVP - Software Distribution (2005-2009)
MS WSUS Website: http://www.microsoft.com/wsus
My Websites: http://www.onsitechsolutions.com;
http://wsusinfo.onsitechsolutions.com
My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
|
|
Thanks again for the information, and for tolerating me, I am diging into
the details now
"Lawrence Garvin (MVP)" <lawrence[ at ]news.postalias> wrote in message
news:OLZbj47WJHA.1532[ at ]TK2MSFTNGP03.phx.gbl...
[Quoted Text] > "skip" <shofmann[ at ]kbb.com> wrote in message > news:1BF38B07-46F2-475E-BA4E-D81B4AC58A80[ at ]microsoft.com... >> Yea i know, i am currently reading the deploy guide, but i like to get >> real word experience from experts like you. > > Just remember.. I'm doing this for free, on my own time, so at some point > when it's easier for you to read the actual answer than it is for me to > type the answer, I'm going to simply point you to the documentation. > > If there's something "real world" that's not in the documentation, I'll be > happy to chat with you ad infinitum about such topics. > > >> So if a patch gets installed and it requires a reboot, there is no option >> in WSUS to stop a reboot from happening? > > There is an option to *delay* the reboot ... but not to prevent it. > >> this will present a problem for us, because we need not only need to >> schedule patch installations but we also must control/schedule the >> rebooting of the servers. > > There are dozens of options for this behavior and they've been discussed > ad infinitum in this newsgroup and in the forums over the past three > years. My best recommendation is to research the archives of this > newsgroup. > > In short, you can schedule the patch installations, but you should > schedule them when you can reboot the servers. > > Note: The requirements of patching Windows operating systems are not new > with WSUS, and functionally have not changed in the past ten years. > Frankly, I'm continually surprised at organizations that have not yet > dealt with issues of how to manage installation of updates to their > servers in a controlled fashion. > > Whether the tool is WSUS, Microsoft Update, AU, Shavlik, or any one of a > dozen others, the question has always existed = and the core bottleneck is > that =WINDOWS= requires a machine to be rebooted after an update to the > Operating System is applied. That's not likely to change in the near > future (despite the continuing unfulfilled promises from the Windows > Product Group that it will). > > -- > Lawrence Garvin, M.S., MCITP(x2), MCTS(x5), MCP(x7), MCBMSP > Principal/CTO, Onsite Technology Solutions, Houston, Texas > Microsoft MVP - Software Distribution (2005-2009) > > MS WSUS Website: http://www.microsoft.com/wsus> My Websites: http://www.onsitechsolutions.com;> http://wsusinfo.onsitechsolutions.com> My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin>
|
|
Just wanted to add one comment. I wish i had the bandwith to devote an hour
or two a day to this topic because it is very important that serves stay
updated with patches, but unfortunently patching servers has never been a
priorty, the priority has always been keeping production systems and
applications running. I guess this is kind of like "rolling the dice" but
between exchange 2007, AD SAN, patching serves just isnt a priority, it
least not in the organization that i work in. Its security through obscurity
around here
"Lawrence Garvin (MVP)" <lawrence[ at ]news.postalias> wrote in message
news:OLZbj47WJHA.1532[ at ]TK2MSFTNGP03.phx.gbl...
[Quoted Text] > "skip" <shofmann[ at ]kbb.com> wrote in message > news:1BF38B07-46F2-475E-BA4E-D81B4AC58A80[ at ]microsoft.com... >> Yea i know, i am currently reading the deploy guide, but i like to get >> real word experience from experts like you. > > Just remember.. I'm doing this for free, on my own time, so at some point > when it's easier for you to read the actual answer than it is for me to > type the answer, I'm going to simply point you to the documentation. > > If there's something "real world" that's not in the documentation, I'll be > happy to chat with you ad infinitum about such topics. > > >> So if a patch gets installed and it requires a reboot, there is no option >> in WSUS to stop a reboot from happening? > > There is an option to *delay* the reboot ... but not to prevent it. > >> this will present a problem for us, because we need not only need to >> schedule patch installations but we also must control/schedule the >> rebooting of the servers. > > There are dozens of options for this behavior and they've been discussed > ad infinitum in this newsgroup and in the forums over the past three > years. My best recommendation is to research the archives of this > newsgroup. > > In short, you can schedule the patch installations, but you should > schedule them when you can reboot the servers. > > Note: The requirements of patching Windows operating systems are not new > with WSUS, and functionally have not changed in the past ten years. > Frankly, I'm continually surprised at organizations that have not yet > dealt with issues of how to manage installation of updates to their > servers in a controlled fashion. > > Whether the tool is WSUS, Microsoft Update, AU, Shavlik, or any one of a > dozen others, the question has always existed = and the core bottleneck is > that =WINDOWS= requires a machine to be rebooted after an update to the > Operating System is applied. That's not likely to change in the near > future (despite the continuing unfulfilled promises from the Windows > Product Group that it will). > > -- > Lawrence Garvin, M.S., MCITP(x2), MCTS(x5), MCP(x7), MCBMSP > Principal/CTO, Onsite Technology Solutions, Houston, Texas > Microsoft MVP - Software Distribution (2005-2009) > > MS WSUS Website: http://www.microsoft.com/wsus> My Websites: http://www.onsitechsolutions.com;> http://wsusinfo.onsitechsolutions.com> My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin>
|
|
"skip" <shofmann[ at ]kbb.com> wrote in message
news:0B35933A-B1A6-4D06-93F1-A393FFBDC540[ at ]microsoft.com...
[Quoted Text] > Just wanted to add one comment. I wish i had the bandwith to devote an
> hour or two a day to this topic because it is very important that serves
> stay updated with patches,
This is the very point you need to consider. If it is "very important" that
servers stay updated with patches, then I would suggest that you cannot
afford not to invest four hours in learning the product thoroughly.
The good news is that it's actually not that complex, and the documentation
is very well written.
> but unfortunently patching servers has never been a priorty, the priority
> has always been keeping production systems and applications running.
That's where your job comes into play. One of the responsibilities of a
patch administrator in an organization is to make management understand that
"patching servers" is directly equivalent to "keeping production systems and
applications running".
If there's any doubt, go back and dig out the media stories about the
corporate impact of Blaster or Slammer -- and the fact that those impacted
were simply those who failed to keep up with patching servers.
> I guess this is kind of like "rolling the dice" but between exchange 2007,
> AD SAN, patching serves just isnt a priority, it least not in the
> organization that i work in.
Your organization has sufficient resources to invest in 64-bit servers,
Exchange 2007, and SANs. There's *NO* excuse for such an organization not to
properly invest in the operational requirements of keeping those systems
running.
And, that's pretty much the bottom line. Patching IS an Operational
REQUIREMENT of running servers. Any organization who views it as an
annoyance or inconvenience or 'honey-do' is doomed for disaster.
> Its security through obscurity around here
Such organizations, invariably, end up working in the "revenue by
panhandling" category.
If I were in your place, I'd be betting on one of two options:
[1] Either my employer makes the necessary investments to ensure the
continued functioning of their extensive investment in technology, including
the *minimal* investment it takes to have a functional patching methodology,
and an educated patch administrator....
=or=
[2] I'd be dusting off my resume and looking for an employer who *is*
committed to making the necessary investments to keep their technology
functional.
--
Lawrence Garvin, M.S., MCITP(x2), MCTS(x5), MCP(x7), MCBMSP
Principal/CTO, Onsite Technology Solutions, Houston, Texas
Microsoft MVP - Software Distribution (2005-2009)
MS WSUS Website: http://www.microsoft.com/wsus
My Websites: http://www.onsitechsolutions.com;
http://wsusinfo.onsitechsolutions.com
My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
|
|
Well said!
"Lawrence Garvin (MVP)" <lawrence[ at ]news.postalias> wrote in message
news:uZN83B9WJHA.5400[ at ]TK2MSFTNGP04.phx.gbl...
[Quoted Text] > "skip" <shofmann[ at ]kbb.com> wrote in message > news:0B35933A-B1A6-4D06-93F1-A393FFBDC540[ at ]microsoft.com... >> Just wanted to add one comment. I wish i had the bandwith to devote an >> hour or two a day to this topic because it is very important that serves >> stay updated with patches, > > This is the very point you need to consider. If it is "very important" > that servers stay updated with patches, then I would suggest that you > cannot afford not to invest four hours in learning the product thoroughly. > > The good news is that it's actually not that complex, and the > documentation is very well written. > >> but unfortunently patching servers has never been a priorty, the priority >> has always been keeping production systems and applications running. > > That's where your job comes into play. One of the responsibilities of a > patch administrator in an organization is to make management understand > that "patching servers" is directly equivalent to "keeping production > systems and applications running". > > If there's any doubt, go back and dig out the media stories about the > corporate impact of Blaster or Slammer -- and the fact that those impacted > were simply those who failed to keep up with patching servers. > >> I guess this is kind of like "rolling the dice" but between exchange >> 2007, AD SAN, patching serves just isnt a priority, it least not in the >> organization that i work in. > > Your organization has sufficient resources to invest in 64-bit servers, > Exchange 2007, and SANs. There's *NO* excuse for such an organization not > to properly invest in the operational requirements of keeping those > systems running. > > And, that's pretty much the bottom line. Patching IS an Operational > REQUIREMENT of running servers. Any organization who views it as an > annoyance or inconvenience or 'honey-do' is doomed for disaster. > >> Its security through obscurity around here > > Such organizations, invariably, end up working in the "revenue by > panhandling" category. > > If I were in your place, I'd be betting on one of two options: > > [1] Either my employer makes the necessary investments to ensure the > continued functioning of their extensive investment in technology, > including the *minimal* investment it takes to have a functional patching > methodology, and an educated patch administrator.... > > =or= > > [2] I'd be dusting off my resume and looking for an employer who *is* > committed to making the necessary investments to keep their technology > functional. > > > -- > Lawrence Garvin, M.S., MCITP(x2), MCTS(x5), MCP(x7), MCBMSP > Principal/CTO, Onsite Technology Solutions, Houston, Texas > Microsoft MVP - Software Distribution (2005-2009) > > MS WSUS Website: http://www.microsoft.com/wsus> My Websites: http://www.onsitechsolutions.com;> http://wsusinfo.onsitechsolutions.com> My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin>
|
|
|