WSUS Question

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

I've just deployed WSUS at my company.
I haven't approved any updates yet or assigned any computers to groups. All updates are set to Detect only.
The computers are currently sitting under all computers/unassigned.

My question is: Does WSUS do anything to prevent a user from going to the windows update site manually and downloading updates?

 

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

I couldnt really say, although the site does detect when you dont have auto update enabled perhaps it does the same for computers pointing to a wsus server!?

 

As long as your computers are in an OU configured with group policy for auto updates from your wsus server then it shouldn't allow users to auto update.

I think though that if you user or end user in question has local administrative rights then yes they'd be able to run auto update from MS web site.

I am assuming you're created a test account to test the wsus server to end user computers or vice versa as this would give you a better picture.

 

Correct

 

Ah I see that makes sense, I actually haven't tested with a non local admin account. I will try that now.
Thanks!

 

Ah beautiful stuff, thanks guys
Next question; Is there a policy to stop even local admins from accessing windows update?

 

So since a standard user can't do windows updates regardless of WSUS... How do I know WSUS is doing it's thing.
I thought that launching Windows update from a machine would actually be taking you to the WSUS server.

 

In order for this to work the way it is meant to you'd have to create an OU, then GPO and applied to the OU after which you move all your workstations or computers to that created OU.

Furthermore you can also force the workstations to get updates only from the GPO applied to the OU by configuring this on your DC under policy computer configuration etc.

 

WSUS doesnt stop users from doing their own updates you'll have to lock that down in group policies

Grim

 

I actually applied a domain wide GPO, we're a small company and I want all systems, servers and desktops pointing to my WSUS server.

Within this GPO the policies are as follows:

"Specificy intranet Microsoft update service location" Policy is enabled and pointing to my WSUS server

-Automatic update is configured to download and install approved updates automatically every day at 1:00pm.

-If the system is not on during that time the updates will automatically be rescheduled to be downloaded and installed 10 minutes after the next boot up.

-Auto restart has been disabled completely, it will be up to the logged in user to restart their system after the updates have installed.


What else would I have to do if I wanted to Force users to only be able to receive updates from my WSUS server.

Stop all users, local admins alike, from accessing microsoft updates outside of my WSUS.

 

I will enable the "Disable and remove links to Windows Update" policy. That should do the trick, is there anything else I should consider?
Any input is greatly appreciated.

 

Sounds okay to me so far.

Another idea is to define groups on the WSUS server and put the respective pc into them. That way you can approve updates to specific groups of pcs or servers.

 

Indeed that's the plan after some more testing.
Any idea why WSUS wasn't setup to link with AD therefore allowing the use of computer OU's within it?
Seems really strange to me. If you're going through the trouble of creating an OU, adding systems, and linking a GPO for WSUS, why not just allow us to link that OU into WSUS and be on our way.

 

Here is one of my GPOs for WUS, controlling autmoatic updates of workstations:


Settings as follows:

Configure Automatic Updates - set to auto-download and notify for install on a Wednesday at 20:00
Specify intranet Microsoft update service location - set to my local WUS server
Enable client-side targeting - set to enabled and pointing to the relevant target group on the WUS server
Reschedule automatic updates scheduled installations - set to enabled and 10 minutes after system startup
No auto-restart with logged-on users for scheduled automatic updates installations - set to enabled (you don't want users having their PCs shut down in the middle of work because of an automatic update!)
Allow automatic updates immediate installation - set to enabled - updates that don't require a restart are installed automatically
Re-prompt for restart with scheduled installations - set to enabled, and nag every ten minutes
Allow non-administrators to receive update notifications - set to enabled, so users are aware that they need to restart to get the update
Allow signed content from intranet Microsoft update service location - set to enabled - without this WUS doesn't work properly as clients see updates as unsigned

Some of these policies may not be appropriate for your workplace. For instance, I once worked somewhere that had a lot of whining SOBs who used to blame the IT department for everything when, in fact, most of the problems were due to them installing ****e on their PCs prior to me arriving. First thing I did when I got there was remove local admin rights (which had seemingly been granted across the organisation to everyone) then sorted out WSUS, but soon got moaned at by the helpdesk team because they were being bombarded with complaints from self-same whining SOBs who were blaming the fact that they had just updated their computers for the fact that they were 'running slow' (nowt to do with the sixteen tons of malware they had installed on them then...). I disabled the "Allow non-administrators to receive update notifications" setting so that they no longer knew when their computers were being updated, and stuck a batch restart on all the PCs every night. Choose what fits best for your environment!

 

Duplicate

 

Ah, that's experience for ya.
What a Wonderful and Informative post. I hadn't even considered some of the things you mentioned. Thank you very much!