WSUS Help II

Started by Jeff Zylstra, October 24, 2012, 11:27:38 AM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Jeff Zylstra

I think that someone mentioned this in an earlier post somewhere, but I can't find it right now, so I'll ask again.  I use WSUS (Windows Server Update Services) to download and install Windows updates for both my server and all the workstations.  I usually "approve" the updates, and then set a custom time and date for the deadline by which they need to be installed.  Usually, if I set the deadline 3 or more hours after we close, everyone was off the system and those updates that required a reboot of the computer did not disrupt anything. 

Last week, some cockamamie Windows update felt it was necessary to reboot our file server at 3:00 in the afternoon.  Occasionally this happens on workstations too.  How do I stop this from happening? 
"We hang the petty thieves, and appoint the great ones to public office"  -  Aesop

Charlie Charbonneau

Double check the settings on the group policy for servers which your servers should be receiving update styles from.  I believe these are installed along with wsus so they should be there. make sure they are not set to install automatically, but require permission to install updates and not reboot automatically.
Charlie Charbonneau
GBMB Insurance
San Antonio TX.

EPIC 2022, CSR24, Windows 2012 Hyper-V & 2016, Win10/11 Pro Stations, Sophos Anti-Virus.
.                .                 ..              ...

Alice Mooney

This happened to us last month.  If the server is not logged in, it will reboot without asking.  Since I've logged it in, I'm now prompted to reboot when updates are installed. Just a thought...
Epic 2023 R2 Online
1000+ users

Jeff Zylstra

Quote from: Alice on October 24, 2012, 01:37:52 PM
This happened to us last month.  If the server is not logged in, it will reboot without asking.  Since I've logged it in, I'm now prompted to reboot when updates are installed. Just a thought...

And an excellent thought at that, since I don't always leave my server logged in.  And it's been eons since I've checked my GPO regarding this, so it is excellent advice.  Thank you, Alice and Charlie!  +1 to both of you.
"We hang the petty thieves, and appoint the great ones to public office"  -  Aesop

Alice Mooney

Good luck, Jeff. Rebooting in the middle of NU was one too many times for me. What a mess that was.
Epic 2023 R2 Online
1000+ users

JasonK

You can put the computers into different "groups."  I put all of my servers into a different group and manually run the updates on them at a time of my choosing.  I too experienced the server auto reboot occasionally until I did this setup.

Jeff Zylstra

Quote from: JasonK on October 25, 2012, 08:09:40 AM
You can put the computers into different "groups."  I put all of my servers into a different group and manually run the updates on them at a time of my choosing.  I too experienced the server auto reboot occasionally until I did this setup.

Precisely what I was thinking.  Thank you, Jason.  I just need to remember how I set this up.  TechNet says something about editing the Wuau.Adm file, but I tried that yesterday, and it wouldn't let me do that because it was "in use".  It also didn't help to turn off the Windows Update Service, so I'll have to revisit that.
"We hang the petty thieves, and appoint the great ones to public office"  -  Aesop

Ian Blundell

Jeff
If you open M$ Windows Update Services on your WSUS server then you should be able to add the computer group (if it doesn't already exist),  set the update options and move computers between groups from there.
At least that is how it works on my 2008 SBS server.
Ian Blundell
BHB Insurance
35 users, TAM 10.7, Fax@vantage 7.2

Jeff Zylstra

Quote from: Ian Blundell on October 25, 2012, 01:31:20 PM
Jeff
If you open M$ Windows Update Services on your WSUS server then you should be able to add the computer group (if it doesn't already exist),  set the update options and move computers between groups from there.
At least that is how it works on my 2008 SBS server.

Thank you Ian.  Unfortunately, I can't move the server to the "Server" group that I created.  I'm guessing that's because I chose the Group Policy method to assign computers to groups.  I now have to figure out how to undo what I've done.  Sadly, I made the dumb mistake of deleting the server from the WSUS group, thinking I could just recreate it in the new "Server" group.  Not that easy.  I'll have to figure out how to fix that problem now too.
"We hang the petty thieves, and appoint the great ones to public office"  -  Aesop

Jeff Zylstra

Quote from: Ian Blundell on October 25, 2012, 01:31:20 PM
Jeff
If you open M$ Windows Update Services on your WSUS server then you should be able to add the computer group (if it doesn't already exist),  set the update options and move computers between groups from there.
At least that is how it works on my 2008 SBS server.

Just wondering if this applies to computers that are "asleep" as well?  I've had workstations that have been logged in with files open, but have "fallen asleep" or otherwise gone into a powered down type of state and have rebooted.  When they reboot, they say that Windows has updated them, so I'm curious if this could be the case.  I've also had them force a reboot of users logged in too.  It just says that the computer is rebooting in 10 minutes, and there's not a stinking thing you can do about it.  Not exactly in those words, but you get my drift...  Just wondering what causes this bad behavior.
"We hang the petty thieves, and appoint the great ones to public office"  -  Aesop

Jeff Zylstra

OK, I figured out my blunder here.  I had 3 different organizational units or "OUs" that controlled the same machines.  I had "Default Domain Policy", "Domain Controller Policy" and "Redirect Folders Policy".  I disabled the WSUS feature in the Default Domain, changed the name of the WSUS group to "Servers" in "Domain Controller Policy", and left the WSUS setting the same (WSUSUpdates) in the "Redirect Folders Policy".  After running GPUPDATE on the server, the Domain Controller that runs WSUS now shows up in the Servers group.

Don't know how that happened, but lesson learned to check all of the linked OUs for the setting.
"We hang the petty thieves, and appoint the great ones to public office"  -  Aesop

Ben Thoele

I wouldn't edit anything you don't have to in your default group policies.  Ex: password age. 
We have our AD structure as:
-domain.net
    -OU "yourdomain"
           -OU Groups
           -OU Servers
           -OU Users
           -OU Workstations or Computers

Put all you servers in the "Servers" OU.  Then in GP management, create a "no-restart" Group Policy Object called "Windows Update -no restart-" and apply it to the "Servers" OU.


     
Ben Thoele, I.T. Coordinator
TAM 12.2
33 Users
Mahowald Insurance
Saint Cloud, MN

Jeff Zylstra

Quote from: Ben Thoele on October 29, 2012, 01:25:53 PM
I wouldn't edit anything you don't have to in your default group policies.  Ex: password age. 
We have our AD structure as:
-domain.net
    -OU "yourdomain"
           -OU Groups
           -OU Servers
           -OU Users
           -OU Workstations or Computers

Put all you servers in the "Servers" OU.  Then in GP management, create a "no-restart" Group Policy Object called "Windows Update -no restart-" and apply it to the "Servers" OU.
   

Thanks, Ben.  I will work on this after we get our phones working again.  The power supply on the phone system went out, so I am trying to reboot the phones and get them to stay working.  So far, no joy.  Thanks, Ben.
"We hang the petty thieves, and appoint the great ones to public office"  -  Aesop

Ben Thoele

Quote from: Ben Thoele on October 29, 2012, 01:25:53 PM

I wouldn't edit anything you don't have to in your default group policies.  Ex: password age. 
We have our AD structure as:
-domain.net
    -OU "yourdomain"
           -OU Groups
           -OU Servers
           -OU Users
           -OU Workstations or Computers

Put all you servers in the "Servers" OU.  Then in GP management, create a "no-restart" Group Policy Object called "Windows Update -no restart-" and apply it to the "Servers" OU.

     

P.S.
If you setup your AD structure this way.  Also add additional OUs under the "Users" and "Computers" OU for each department.

For instance under the Users OU I have Commercial, Personal, and Benefits.  Then put users in their prospective OU.

Ben Thoele, I.T. Coordinator
TAM 12.2
33 Users
Mahowald Insurance
Saint Cloud, MN