1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

WSUS Question

Discussion in 'General Microsoft Certifications' started by Methodman85, Jul 18, 2008.

  1. Methodman85

    Methodman85 Byte Poster

    244
    6
    32
    I've just deployed WSUS at my company.
    I haven't approved any updates yet or assigned any computers to groups. All updates are set to Detect only.
    The computers are currently sitting under all computers/unassigned.

    My question is: Does WSUS do anything to prevent a user from going to the windows update site manually and downloading updates?
     
    Certifications: MCTS, MCSE, MCSA:M, CCNA, MCDST, N+
    WIP: 70-680
  2. dales

    dales Gigabyte Poster

    1,998
    46
    97
    I couldnt really say, although the site does detect when you dont have auto update enabled perhaps it does the same for computers pointing to a wsus server!?
     
    Certifications: vExpert 2014+2015+2016,VCP-DT,CCE-V, CCE-AD, CCP-AD, CCEE, CCAA XenApp, CCA Netscaler, XenApp 6.5, XenDesktop 5 & Xenserver 6,VCP3+5,VTSP,MCSA MCDST MCP A+ ITIL F
    WIP: Nothing
  3. onoski

    onoski Terabyte Poster

    3,120
    51
    154
    As long as your computers are in an OU configured with group policy for auto updates from your wsus server then it shouldn't allow users to auto update.

    I think though that if you user or end user in question has local administrative rights then yes they'd be able to run auto update from MS web site.

    I am assuming you're created a test account to test the wsus server to end user computers or vice versa as this would give you a better picture.
     
    Certifications: MCSE: 2003, MCSA: 2003 Messaging, MCP, HNC BIT, ITIL Fdn V3, SDI Fdn, VCP 4 & VCP 5
    WIP: MCTS:70-236, PowerShell
  4. UKDarkstar
    Honorary Member

    UKDarkstar Terabyte Poster

    3,477
    121
    184
    Correct
     
    Certifications: BA (Hons), MBCS, CITP, MInstLM, ITIL v3 Fdn, PTLLS, CELTA
    WIP: CMALT (about to submit), DTLLS (on hold until 2012)
  5. Methodman85

    Methodman85 Byte Poster

    244
    6
    32
    Ah I see that makes sense, I actually haven't tested with a non local admin account. I will try that now.
    Thanks!
     
    Certifications: MCTS, MCSE, MCSA:M, CCNA, MCDST, N+
    WIP: 70-680
  6. Methodman85

    Methodman85 Byte Poster

    244
    6
    32
    Ah beautiful stuff, thanks guys :D
    Next question; Is there a policy to stop even local admins from accessing windows update?
     
    Certifications: MCTS, MCSE, MCSA:M, CCNA, MCDST, N+
    WIP: 70-680
  7. Methodman85

    Methodman85 Byte Poster

    244
    6
    32
    So since a standard user can't do windows updates regardless of WSUS... How do I know WSUS is doing it's thing.
    I thought that launching Windows update from a machine would actually be taking you to the WSUS server.
     
    Certifications: MCTS, MCSE, MCSA:M, CCNA, MCDST, N+
    WIP: 70-680
  8. onoski

    onoski Terabyte Poster

    3,120
    51
    154

    In order for this to work the way it is meant to you'd have to create an OU, then GPO and applied to the OU after which you move all your workstations or computers to that created OU.

    Furthermore you can also force the workstations to get updates only from the GPO applied to the OU by configuring this on your DC under policy computer configuration etc.
     
    Certifications: MCSE: 2003, MCSA: 2003 Messaging, MCP, HNC BIT, ITIL Fdn V3, SDI Fdn, VCP 4 & VCP 5
    WIP: MCTS:70-236, PowerShell
  9. grim

    grim Gigabyte Poster

    1,345
    12
    89
    WSUS doesnt stop users from doing their own updates you'll have to lock that down in group policies

    Grim
     
    Certifications: Bsc, 70-270, 70-290, 70-291, 70-293, 70-294, 70-298, 70-299, 70-620, 70-649, 70-680
    WIP: 70-646, 70-640
  10. Methodman85

    Methodman85 Byte Poster

    244
    6
    32
    I actually applied a domain wide GPO, we're a small company and I want all systems, servers and desktops pointing to my WSUS server.

    Within this GPO the policies are as follows:

    "Specificy intranet Microsoft update service location" Policy is enabled and pointing to my WSUS server

    -Automatic update is configured to download and install approved updates automatically every day at 1:00pm.

    -If the system is not on during that time the updates will automatically be rescheduled to be downloaded and installed 10 minutes after the next boot up.

    -Auto restart has been disabled completely, it will be up to the logged in user to restart their system after the updates have installed.


    What else would I have to do if I wanted to Force users to only be able to receive updates from my WSUS server.

    Stop all users, local admins alike, from accessing microsoft updates outside of my WSUS.
     
    Certifications: MCTS, MCSE, MCSA:M, CCNA, MCDST, N+
    WIP: 70-680
  11. Methodman85

    Methodman85 Byte Poster

    244
    6
    32
    I will enable the "Disable and remove links to Windows Update" policy. That should do the trick, is there anything else I should consider?
    Any input is greatly appreciated.
     
    Certifications: MCTS, MCSE, MCSA:M, CCNA, MCDST, N+
    WIP: 70-680
  12. nugget
    Honorary Member

    nugget Junior toady

    7,796
    71
    224
    Sounds okay to me so far.

    Another idea is to define groups on the WSUS server and put the respective pc into them. That way you can approve updates to specific groups of pcs or servers.
     
    Certifications: A+ | Network+ | Security+ | MCP (270,271,272,290,620) | MCDST | MCTS:Vista
    WIP: MCSA, 70-622,680,685
  13. Methodman85

    Methodman85 Byte Poster

    244
    6
    32
    Indeed that's the plan after some more testing.
    Any idea why WSUS wasn't setup to link with AD therefore allowing the use of computer OU's within it?
    Seems really strange to me. If you're going through the trouble of creating an OU, adding systems, and linking a GPO for WSUS, why not just allow us to link that OU into WSUS and be on our way.
     
    Certifications: MCTS, MCSE, MCSA:M, CCNA, MCDST, N+
    WIP: 70-680
  14. zebulebu

    zebulebu Terabyte Poster

    3,748
    330
    187
    Here is one of my GPOs for WUS, controlling autmoatic updates of workstations:
    [​IMG]

    Settings as follows:

    Configure Automatic Updates - set to auto-download and notify for install on a Wednesday at 20:00
    Specify intranet Microsoft update service location - set to my local WUS server
    Enable client-side targeting - set to enabled and pointing to the relevant target group on the WUS server
    Reschedule automatic updates scheduled installations - set to enabled and 10 minutes after system startup
    No auto-restart with logged-on users for scheduled automatic updates installations - set to enabled (you don't want users having their PCs shut down in the middle of work because of an automatic update!)
    Allow automatic updates immediate installation - set to enabled - updates that don't require a restart are installed automatically
    Re-prompt for restart with scheduled installations - set to enabled, and nag every ten minutes
    Allow non-administrators to receive update notifications - set to enabled, so users are aware that they need to restart to get the update
    Allow signed content from intranet Microsoft update service location - set to enabled - without this WUS doesn't work properly as clients see updates as unsigned

    Some of these policies may not be appropriate for your workplace. For instance, I once worked somewhere that had a lot of whining SOBs who used to blame the IT department for everything when, in fact, most of the problems were due to them installing ****e on their PCs prior to me arriving. First thing I did when I got there was remove local admin rights (which had seemingly been granted across the organisation to everyone) then sorted out WSUS, but soon got moaned at by the helpdesk team because they were being bombarded with complaints from self-same whining SOBs who were blaming the fact that they had just updated their computers for the fact that they were 'running slow' (nowt to do with the sixteen tons of malware they had installed on them then...). I disabled the "Allow non-administrators to receive update notifications" setting so that they no longer knew when their computers were being updated, and stuck a batch restart on all the PCs every night. Choose what fits best for your environment!
     
    Certifications: A few
    WIP: None - f*** 'em
  15. Methodman85

    Methodman85 Byte Poster

    244
    6
    32
    Duplicate
     
    Certifications: MCTS, MCSE, MCSA:M, CCNA, MCDST, N+
    WIP: 70-680
  16. Methodman85

    Methodman85 Byte Poster

    244
    6
    32


    Ah, that's experience for ya.
    What a Wonderful and Informative post. I hadn't even considered some of the things you mentioned. Thank you very much!
     
    Certifications: MCTS, MCSE, MCSA:M, CCNA, MCDST, N+
    WIP: 70-680
  17. Sparky
    Highly Decorated Member Award

    Sparky Zettabyte Poster Moderator

    10,190
    296
    319
    If the user is a member of domain users and not a local admin then you cant run windows update. 8)
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) Security+ Network+ A+
    WIP: Exchange 2007\2010

Share This Page

Loading...