One for the fellow IT Geeks -WSUS

[shabba]

Hi folks,

Anyone here familair with WSUS 3.0? Setting one up to handle around 200 PC's - then maybe expand to 500+.

Anyway is set up but looking for practical info for managing the deployment.

 

[Z4 Beemer]

Yes, we have a few running. Is it bascially just the policy settings you are after on the client PC's?

 

[shabba]

Thanks.

Well I've set up a test OU in Active Directory, used a policy to point the test PC at the WSUS and over the weekend it appeared on the WSUS server in the right container I set.

However it doesnt display the windows version or its status as such, no IP either - just the machine name. Is it a Windows Firewall issue? Running the status report doesnt update it.

I also added an old server into the OU but it has not appeared on the WSUS as yet, odd.

 

[jeff spangle]

Run WUAUCLT.EXE on the client should force them to look at WSUS.

Policy changes should include intranet WSUS location and configure auto updates

Plus, run GPUPDATE /FORCE on clients/servers

 

[Taz]

and when you have done that, get in the zed and have a bloody good blast, you deserve it

 

[shabba]

WUAUCLT.EX - did that on thetest PC but not the test server - thing is I don't want to have to run that command on all the PC's (i.e the 200 I will add).

Yep that is right regarding policy changes.

Yep done the gpupdate command too on both Machines.

 

[ranski]

If your moving to 500+ clients and you have a volume/EA agreement with M$ then i would invest in SMS/SCCM as this will give you much more flexibility when doing security updates and software deployments

 

[Z4 Beemer]

You can also run: WUAUCLT.EXE /detectnow and WUAUCLT.EXE /resetauthorization.

Status can take a while to update intially...

Happy to send you the registry settings we have in place on our client PC's.

 

[jeff spangle]

As Z4 Beemer says, /detectnow is the switch

You could put the command in a "run once" script/login script and deploy in a GPO

 

[shabba]

Thanks guys, but like I say I don't want to have to run commands on all PC's to get them seen by the WSUS box.....

GP settings;


Computer policy:

Administrative templates – Windows components – Windows update:
• Configure Auto updates – set to auto install daily at 1pm
• No auto restart – set to enabled (i.e so it doesn’t reboot on its own accord)
• Allow auto updates immediate installation – set to enable, this applies updates that do not interrupt Windows Services and do not require a reboot
• Specify intranet service location – set to http://ukwsus1:8530 for both entries
• Enable client side targeting – enabled - set to Local office (different per GPO)

 

[Z4 Beemer]

I think you will at least need to restart the wuauserv service on all PC's to get them to pick up the new policy settings (or just reboot them )

net stop wuauserv
net start wuauserv

Explains why your old server hasn't appeared in WSUS yet...?

 

[shabba]

How quickly should client PC's be found by the WSUS server?

I used a client diag tool and it seems to indicate its finding the server.

 

[Z4 Beemer]

Pretty sure that you can set a Detection Frequency parameter... Think the default might be 22 horus if not specified? :?

 

[shabba]

Hmm well I have got the PC's picked up, removed the port number from the client side targetting GP setting and added in the full name too.

Now the Pc's are picked up and the OS and IP is present, I've approaved all critical and security updates on the WSUS box too. However the PC's arent reporting for some reason, i.e doesnt tell me about what updates they need and such.