Quick WSUS query

Mikoyan

Mikoyan

Mikoyan

Soldato
Joined
4 Aug 2004
Posts
2,734
Location
on OCUK
Hi all,

Here is the scenario, if I have custom groupings and for example I will use Client Side Targeting to filter the below groups

Windows_7 (top level group)
Windows_7x86
Windows_7x64

If there is an update for me to approve that is x64 do I have to select the Windows_7x64 induvidually or can I just allow inheritance from Windows_7..?

I guess the query is, will WSUS be clever enough to know that it will not apply to the Windows_7x86 group as its only for x64 via WMI query, etc? :confused:

Thanks

Mik
 
Last edited:
You can allow x64 updates to 32bit groups wsus will just not install that update on the 32bit machines.

What i do is, i create a test group and then i add all IT staff in there and a handful of users, i don't use the ad ou targeting. Then i create a search group filter for the specific updates that i want, then i approve them all (apart from ones i dont want like ie11 for example) for the test group. Then once it has been tested for a few weeks, i go back in and sort the updates by approved column. All the ones that are approved by 1 i approve for the non test groups. Then i repeat this process.

My colleage prefers to just automatically roll out critical and security updates to all users. This is another way to do it, but what happens then he is does not apply office updates and other updates and just forgets about them. some where in between is probably best but i dont mind doing it manually as then i know whats going out.

There has been a few instances where updates have caused big problems and its good to be slow (few weeks lag) with the updates as if you push them out as soon as they released, you may not get news about problem updates.
 
Last edited:
As AIDM pointed out you can approve an updates for all machines. The machine will only install the relevant updates. e.g. An office update won't be installed on a machine without office installed.

How we have our groups setup:
Site Name (top level group)
>Site Name Servers
>Site Name Desktops
>Site Name Test Machines

When new updates come in we decline anything we don't want (Itanium patches mostly) and approve the rest for the 'Test Machines' group.
When the updates are tested and ready for the rest of the organisation, we approve at the 'Site Name' top level group, and set all the subgroups to 'Same as Parent'.
I think this is the simplest way to manage WSUS patching.

We use a couple of custom update views to simplify this.
One for unapproved updates - None of the options are selected,
Dropdowns: Approval 'Unapproved', Status 'Any'



And one for Patches in Test - 'Updates are approved for a specific group' ticked, 'Test Machines' group selected.
Dropdowns: Approval 'Any Except Declined', Status 'Any'

I can provide screenshots or more info if required.
 
You must log in or register to reply here.
Back
Top Bottom