Configuring location based GPO for WSUS updates but only for some clients

windows-server-2008-r2 group-policy windows-update wsus
6,190

Solution 1

You need multiple GPOS.

  1. Create 1 GPO to download using the WSUS server. Apply this to the site.
  2. Create a group containing the computers that you want to auto update
  3. create a GPO that sets the WSUS to auto install. Apply security filtering to the GPO that only lets the group in set 2 apply the policy. Apply this (as second priority to the GPO in step 1) to the site.

As far as connecting to WU, You need to have a company policy that remote users VPN in at some interval, to facilitate updates. create a replica server in your DMZ with no content so the systems will get the content from the microsoft update servers (so you won't need to be connected to the VPN to get the updates

Solution 2

I've done this with wsus and found that odd things go wrong. Do you want to use wsus to approve the updates but download from MS?

I set up something like this where the main office had its own wsus server and PCs in the branch offices had a secondary wsus server. The secondary server was configured not to download anything and the approvals were chained from the main server. I used GPO's to assign PC's to one or the other.

What I found what that users who took their laptops to the main office would show up once on the main server and never be able to connect to the secondary wsus server. I would have to delete the node from the main one to allow it to sync.

The same would occur for people who went to a branch office with their laptop.

Once a PC has contacted a particular wsus node it appears to 'stick' and you cannot switch over to another one.... but not always. Often this would correct itself. As far as I know this should work but I kept finding nodes which had not updated in months. Deleting the node in wsus would solve the issue.

in short - it didn't work well at all.

When people were offsite (but connected by vpn) the gpos should have directed the users directly to MS - but I would find that they would keep applying the old GPOs, sometimes for months before a gpupdate/force would correct the situation. This is a group policy problem but I never did find out why this occurred.

I switched over to a single server which feeds out the patches to everyone. Guess what? Noone noticed the difference but everything works perfectly.

Share:
6,190
MadBoy
Author by

MadBoy

Updated on September 18, 2022

Comments

  • MadBoy
    MadBoy over 1 year

    I would like to configure WSUS so that employees arrive in main location they use WSUS to download stuff, and when they are in other locations (different locations / home etc) they use Windows Updates.

    It was suggested in this question to use subnets/locations to do that. This is fine solution however we decided that only about 10-15 computers will get automatic installation of updates, and rest will get an update/download only information.

    So we're in situation where we should use a combination of GPO for Location and GPO for OU based (the automatic guys will get their own OU).

    Is there a way to configure the windows clients so that WSUS will take it's information from 2 GPO's? Also what about Home / customers locations where we don't know the subnets? Can we somehow configure GPO so that computer when outside of known subnets/locations will turn on another GPO using Windows Updates from Microsoft but keeping our "choice" of automatic download vs download-only (depending on employee).

    We choose to install everything for backoffice employees and download-only for programmers (which is 90% of company).

  • MadBoy
    MadBoy over 12 years
    We want to have 1 WSUS server in main location. We want updates to be approved by us for programmers and downloaded from WSUS when people are locally connected but they choose whether to install them or not. But we also want to download and install automatically for chosen computers (backoffice). When people are outside of company or branch offices they should get stuff from Microsoft but they should keep asking WSUS whether the updates were approved or not (if that's not possible then switching to MS to get everything).
  • Ian Murphy
    Ian Murphy over 12 years
    The only way to do this is to have 2 wsus servers as the option to store locally or to pull from MS is an option on the server and not something you can force on the cliente using a GPO. The problem comes with switching back and forth. I found it didn't work very well. Give it a try, maybe you have better luck. You'll hit the problem of needing to apply a policy when its not in contact with the office to switch to not using wsus (or using the secondary wsus and accessing it by vpn)

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Users are seeing Windows Update notification on Terminal Servers. How to stop it?
Stop Feature upgrades and properly manage them via WSUS
How can I use WSUS in a Windows Workgroup?
Change group policy using windows CMD
Remove machines from WSUS
WSUS & GPOS - Force restart and disable choosing updates W12R2
How to disable WSUS on our domain?
Edit Windows Update GPO Via Command Line
Why is Windows Update suddenly failing with error 0x80244019?
Windows Updates taking a long time to install