WSUS automated or a joke? -Success!

Okay, I said that just to get your attention. You guys know I love Microsoft and you all know that all Miscrosoft products come perfectly ready right out of the box with no problems right!

Okay I said that to ask your guidance..I have a home lab much the same as at work. I have a single domain with WSUS sp1 running on a windows 2003 EE server...Runs great..

1. GPO is set and recognized in my Comp Groups
2. Updates being pushed out to each vm xp machine

However, here is the problem.I thought WSUS was fully automatic?
I have all the settings in the GPO set to reboot as needed with default settings of 5 min wait and I have set DO not problem user of updates etc.
but the little yellow update shield comes up by the clock and says ready for updates??WT??? I have worked with another MCSE type and he has no clue...What are we doing wrong..is WSUS fully automated like install and reboot and install and reboot?

We intentially at work leave all the machines on over night so it can do updates and reboot as necessary without users using their PCs...but the each PC has the installed updates loaded on their PC but they wait for a response from the employee/user?WT???

I want WSuS to be fully automated isnt that what it is for if I wanted the the little yellow shield popping up and bugging employees, I would have just set the Auto UPdates from the local machine???

What am I doing wrong. I want it fully automated so when the employee comes in in the morning they do nothing but use their machine and no nothing of any updates happening??

Thanks

Find more posts tagged with

Comments

hollow666

Yes it can be fully automated. Post up the GPO settings you have set.

itdaddy

hollow666
i will post them..soon tonight I will...please look back and see what I posted tonight I have to get them written down and them type them in.
so be patyient tonight i type them in thanks that is fantastic

SWM

You need to set the "Configure Automatic Updates" to 4

4 = Automatically download updates and install them on the schedule specified below
Specify the schedule using the options in the Group Policy Setting. If no schedule is specified, the default schedule for all installations will be everyday at 3:00 AM. If any of the updates require a restart to complete the installation, Windows will restart the computer automatically. (If a user is logged on to the computer when Windows is ready to restart, the user will be notified and given the option to delay the restart.)

This option should do the trick....:)

itdaddy

Okay guys this is what I have.
In GPO under the OU I have:
Computer Configuration-->AT-->WC-->Windows Updates

Do not display Install updates and shutdown NC
Do not adjust default option to install updates and shutdown NC
Configure Automatic Updates #4. auto download/schedule 7. sat 15:00 E
Specify Intranet MS service location both htt://wsus E
Enable client side targeting NC
Reschedule Automatic updates schedule installation wait 15 min E
No auto-restart with logged on users NC
Automatic udpates detection E
Allow automatic updates immediate installation E
Delay Restart for schedule installation NC
Allow non-admin to receive updates notifications E
Enable recommend updates via automatic updates D
Enable windows udpate power managment to auto wake D
Allow sign .....from .. NC

okay guys here is each line..SWM looks like I have the right policies.
I mean they download right to each machine. and but each manchine
waits for me to click on little yellow install shield to finish the install
I mean total initiate install and click on restart. no auto restart anything.
I feel I have them just right?all the GPO..what would allow the shield to pop up and have the user have to click on to install? and then when done it says do restart must take place???? but remind you that these machines were 50 percent intially behind in their updates.maybe it was too much for them to handle being 50 percent behind on updates???
I was under impression WSUS could be done at night while PCs left on
and it would just push out updates to PCs, install, reboot as needed and then continue to install and repeat cycle??? what am I doing wrong dude?
thanks for your help

itdaddy

so SWM so if users were still logged on after they left for home
would the computers not restart nor install their udpates??
I think users remained logged on does that matter?

sprkymrk

Allow non-admin to receive updates notifications E

Try changing that one to "Disabled".

SWM

so SWM so if users were still logged on after they left for home
would the computers not restart nor install their udpates??
I think users remained logged on does that matter?

From memory the computers should install the updates and then start a count down timer until they reboot (i think after 10 minutes is default). If the users are logged in but not at their desks, the PC's should reboot automatically after this time.

itdaddy

sprkymrk

dude did i ever tell you you were a freaking genius?? well
you are a genius. that was the ticket! it is working unattended now
on my machines...the installed percentages are climbing and noone is logged in..

thanks to all of you for your help..the tech forum/cert forum kicks ass!
i just imaged my wsus server now on to creating my ISA 2004 server from scratch see you guys later.

"so many toys so little time" .....
actually this is part of my 70-290 studies hope to take my 290 in 2 months just boning up on all the labs and building my own stuff at home
and it has helped at work as well. My boss will think I am a genius and give me the biggest raise! ahaahha NOT!! genius because of your guys's help thank you

but as soon as I change that setting that you mentioned sprky, it
freaking started to download and install at the same time and do its automated thing great!!!!boooooyaahH!!!

God bless you this Easter my friends!

itdaddy

okay I spoke too soon. rats! okay guys
it worked for one of these machines but why does it still show the
install update shield inthe Administrator login. If I log into themachine
it still gives me that option. Okay little history on these machines.
We were mandated by our auditors to get WSUS at work. We got it and installed it and yes they are updated but have all exclamation points saying updates needed in yellow with the update shield near the clock.
Sure it doesnt show in the normal users who login but it is like updates hang and doesnt seem to reboot nor does reboot do anything.
these machines are like 200 plus updates behind to give you more info.
So do you think my updates are intially sketchy due to the fact they have 200 plus updates to install and will take a while to fully update? It just seems the wsus server tickles the pc and then just stops pushing out the updates. I did a client check on the pcs and they seem to have no errors. the only error that is flagged with the wsus client tool is no proxy. and we dont use a proxy just wsus and clients. I think that setting worked sprkymrk but for some reason the installs hang and need a manual reboot but even that doesnt seem to work? Like it is just a lazy wsus server or what? haahahah this cannot be that hard..the installs take place but are poky and seem to drop off after 100 updates are performed and then doesnt start up again even though there are 120 updates needed yet?
when does the client ask for more updates or does the wsus server does some keep alive or something to check in with the client??? I dont understand why this is so sketchy?? wish I could get a handle on it. do you guys know why i am still getting the update shield in the admin login
that is if i login but if i dont login the machine just doesnt auto install
i have to like do a gpupdate /force and then a wuauclt.exe /detectnow a few times and then it seems to perk up.
shat do you guys think is my problem besides me ahaahah
any tests for something? thanks. sprky your setting changed seems to work but sure the employees dont see shield but admins do and still seems to wait for a stroke to get going? i expect it to do this really.
1. download updates to pc
2. install updates
3. reboot as needed
4. install more updates
5. reboot as needed
all with no user intervention nor admin intervening
just watch WSUS mmc snap in console them install.
is this a real expectation or am i going to have to remote to each
pd and run the gpupdate /force and wuauclt.exe /detectnow all the time?

genXrcist

Hi ITDaddy,

Interesting thread as I plan on rolling out WSUS in my environment as well & all our PC's are way behind in updates too.

Looking at your GPO policy I was gonna recommend enabling "Enable windows udpate power managment to auto wake" but it sounds like you're not having a problem with the PC's coming up to run their updates, right?

One thing I was going to suggest was to try applying the GPO to a root OU with a small test group in it, instead of all your PC's in your environment. I believe WSUS can handle 15K clients as long as the minimum HW requirements are met (733Mghz processor & 512MB RAM) which I'm sure you've got right?

My reasoning for the test OU is that I wonder if there are any other GPO settings that are restricting the process and I wanted to try and eliminate that factor.

Finally, I see you have 'Enable Client Side Targeting' Not Configured. I would enable Client Side Targeting on your WSUS server and then create a 'WSUS' AD Group , place the 5 PC's in it and then enable this setting in Group Policy. Maybe even un-link and then re-link the policy for kicks if that doesn't help.

Hope you can get this working!

itdaddy

false alarm sprkymrk and SWM and genxrcist,

wow this is what happend...okay after i config the setting sprkymrk said
it started to work, then it just stopped, and then i watched for an hour nothing and then wen to bed and nextmorning got my email report sent to me from wsus server saying no computer needed updates (this is all on my home lab setup) and all pcs (which are virtual xp machines) and a real 2003 ee server..now after that setting it does work i was expecting it to work within15-20 minutes but after about long while it works..maybe it was installing on each pc..i was watching the netowrk icon that flashes if there is traffic..myabe i was just hallucianating after hours of banging my head to get it to kickstart.but you guys are right it is that GPO policy push out. i had to run these commands on the machines that did not report in to the wsus server..but i think with so many updates behind that it takes longer than expected. I am going to watch it. when i has only a few updates it will be much faster i bet. but all in all wsus is automated witha few commands i have had to run and i used the client side wsus tool checker.

1. gpupdate /force

2. wuauclt.exe /detectnow
3. client side wsus tool checker.

i ran these on clients that didnt show up in the wsus server at home first in my test lab will be a genius at work monday when I show my boss my wsus skils and then i know i will get that big raise ahqahahah ahaha hh
hhhaha...NOT! but it will be fun to fix the ones that didnt report.

but it is working perfect now. will be more patient guys sorry. and sprky you still are a genius that one command did the trick. i just had to be patient with 100s or updates behind it is working behind the scenes..

but the commands above needed to be ran on poky clients and then leave them alone and on and they work fine even if clients logged in or not.
success!

sprkymrk

Robert, if you have clients that will not show up in the WSUS console, it could be due to a WSUS SID problem, which can occur for various reasons when you clone machines. If that seems to be the case, run this on your clients that do not show up:

net stop wuauserv 

reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientID 
reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v AccountDomainSid 

net start wuauserv 

gpupdate /force 

wuauclt /resetauthorization /detectnow

itdaddy

sprky

yeah we do do imaging of all our machines. hum! Hey was wondering do the client PCs need to be on a certain wsus client version...working with wsus sp1? I did the .adm template and so forth but was wondering if
maybe with the downloads it needs a certain client side version of wsus to work with the WSUS sp1 server? i am going to try your cool command sprky and let you know what it is...thanks for your professional help....
i appreciate it..
hey have you ever heard of david crowder band? man i am totally into that dudes music man is he great!

itdaddy

sprkymrk
so far it proves that you are the man! that script you gave
me is working. How I know is I made it a point to have the window
desktop lockout and you know only the user or admin can unlock it.

I wanted to test this because users at work lock out their computers.
actually we have the GPO for screensavors set to lock out in 3 minutes since we are a financial and required by policy to have PCs lock out every 3 minutes of no activity. I wanted to test my home setup to still install updates while PC is locked out and sure as heave is coming, it is installing like a dream man..what you did has helped me out. And I bet since I do images at home as well huh..great script. I can never repay you man for all your great help and to all the dudes on this forum. I hope I can repay you guys some how thanks you the man! !

undomiel

Lock out at 3 minutes? Wow, at the gov job I was working we put in place a policy for 5 minutes and the users were able to whine and complain it all the way up to 30 minutes! It was pretty impressive. None of the people in IT management wanted to put their foot down on policy.

itdaddy

undomiel
yeah 3 minutes is bull crap; even IT gets that crap stupid..I think we could have 5 minutes and I would be happier..but yeah amazing how our IT is ran, our boss is nutz..I know we could go longer 3 minutes is go take a **** and come back and bam you locked out.. or talk on phone with someone and locked out. we do have in place when screen savor comes on if you hit the space bar it preempts it..which is nice, but yeah 3 minutes is over kill 5 minutes is reasonable. 30 minutes is nutz for gov jobs wow I am not surprise ahahahaa;)