Managing Computer Groups

PC Repair Tools

Advanced Registry Cleaner PC Diagnosis and Repair

Get Instant Access

The heart of WSUS management is the capability to target updates to groups of client computers. WSUS provides a mechanism to help you ensure that the right computers get the rights updates at the right time. In fact, computer groups ensure that client computers receive their updates in a consistent manner on an ongoing basis.

Computers will always belong to two groups. Every computer belongs to the All Computers group. However, they will also belong to the Unassigned Computers group until you assign them to your own custom group. A computer can belong to only one group in addition to the All Computers group.

You can assign computers to computer groups using one of two methods.The first method is server-side targeting where you manually move computers from the Unassigned Computers group to a custom computer group. The second method is client-side targeting where you use Group Policy or edited registry settings on client computers. Computers that are configured with client-side targeting automatically add themselves to computer groups on their managing WSUS server.You must choose either server-side or client-side targeting for each WSUS server as a global setting for all managed computers; however, you do not have to configure all your WSUS servers with the same setting. Some can be configured for server-side targeting while others are configured for client-side targeting.

A summary of the computer group targeting methods and their configuration is listed in Table 9.2.

Table 9.2 Computer Group Targeting Method

Targeting Method Summary

How to Configure

Server-Side Targeting

When configuring serverside targeting, use the WSUS Web-based administration console to create computer groups and then assign client computers to those groups. Server-side targeting is a good choice for organizations that do not have many client computers to update and you want to move client computers into computer groups manually. This method also makes sense for computers that you frequently move between computer groups.

To enable server-side targeting on your WSUS server, click the Use the Move computers task in Windows Server Update Services option on the Computers Options page.

Continued

Table 9.2 continued Computer Group Targeting Method

Targeting Method Summary

How to Configure

Client-Side Targeting

When configuring clientside targeting, you configure client computers to automatically add themselves to the computer groups that you previously created in the WSUS Web-based administration console. You can configure client-side targeting through an Active Directory Group Policy Object (GPO). If client computers are not members of an Active Directory domain, you can automatically assign them to a computer group by editing registry entries for the client computers. This will generate the results as configuration through Group Policy with some additional parameters. When the client computers connect and check-in with their corresponding WSUS server in both cases, they will add themselves into the indicated computer group automatically. Client-side targeting makes sense if you have many client computers and want to automate the process of assigning them to c omputer groups. This is also a good choice when you want to enforce computer group membership without relying on manual intervention of group assignment.

To enable client-side targeting on your WSUS server, click the Use Group Policy or registry settings on client computers option on the "Computers Options" page.

Configuring WSUS settings via registry settings can be performed on an individual basis, via login scripts, or through NT 4.0 system policy.Table 9.3 lists the registry entries for the WSUS environment options. These entries can be found under the registry key: HKEY_LOCAL_MACHINE\SojiwarePolkksMkrosoji\Wmdows\WmdowsUpdaie.

Table 9.3 Registry Entries for Setting WSUS Options

Entry Name

Values

Data Type

ElevateNonAdmins

TargetGroup

TargetGroupEnabled

WUServer

Possible values: 0 or 1 Reg_DWORD

0: Only users in the

Administrators user group can approve or disapprove updates.

1: Users in the Users security group are allowed to approve or disapprove updates.

Name of the computer Reg_String group to which the computer belongs. This should be configured for client-side targeting only. TargetGroupEnabled should be set along with this policy.

Possible values: 0 or 1 Reg_DWORD

0: Do not use client-side targeting. TargetGroup should be set along with this policy.

1: Use client-side targeting.

The URL of the WSUS Reg_String server used by Automatic Updates and Application Programming Interface (API) callers. This policy is paired with WUStatusServer and should be set along with this policy and should be the same value in order for them to be valid.

Continued

Managing the WSUS Environment • Chapter 9 317 Table 9.3 continued Registry Entries for Setting WSUS Options

Entry Name Values Data Type

WUStatusServer The URL of the server to Reg_String which reporting information will be sent for client computers that use the WSUS server configured by the WUServer key. This policy is paired with WUServer and should be set along with this policy and should be set to the same value in order for them to be valid.

Additional configuration of the Automatic Update agent can be also be made via registry settings that can be made on an individual basis, set by login scripts, or through NT 4.0 system policy.Table 9.4 lists the registry entries for the Automatic Update agent options. These entries can be found under the registry key: HKEY_LOCAL_MACHINESoftwarePoUties\Mkrosoft\Wmdows\WmdowsUpdateAU.

Table 9.4 Registry Entries for Automatic Update Agent Configuration Registry

Entry Name Values Registry Data Type

AUOptions Possible values: 2, 3, 4, Reg_DWORD

or 5

2: Notify before download. 3: Automatically download and notify of installation. 4: Automatic download and scheduled installation. This is only valid if values exist for the entries of ScheduledInstallDay and ScheduledInstallTime. 5: Automatic Updates is required, but end users can configure it.

Continued

Table 9.4 continued Registry Entries for Automatic Update Agent Configuration

Registry

Entry Name Values Registry Data Type

Registry

Entry Name Values Registry Data Type

Table 9.4 continued Registry Entries for Automatic Update Agent Configuration

AutoInstallMinor

Possible values: 0 or 1

Reg_DWORD

Updates

0: Treat minor updates

like other updates.

1: Silently install

minor updates.

DetectionFrequency

Possible values: time in

Reg_DWORD

hours, 1-22.

Time between detection

cycles.

DetectionFrequency

Possible values: 0 or 1

Reg_DWORD

Enabled

0: Disable Detection

Frequency.

1: Enable Detection

Frequency.

NoAutoReboot

Possible values: 0 or 1

Reg_DWORD

WithLoggedOnUsers

0: Automatic Updates

notifies user that the

computer will restart in

5 minutes.

1: Logged-on user gets

to choose whether or

not to restart his or her

computer.

NoAutoUpdate

Possible values: 0 or 1

Reg_DWORD

0: Enable Automatic

Updates.

1: Disable Automatic

Updates.

RebootRelaunch

Possible values: time in

Reg_DWORD

Timeout

minutes, 1-1440.

Time between prompting

again for a scheduled

restart.

RebootRelaunch

Possible values: 0 or 1

Reg_DWORD

TimeoutEnabled

0: Disable Reboot

RelaunchTimeout.

1: Enable Reboot

RelaunchTimeout.

Continued

Table 9.4 continued Registry Entries for Automatic Update Agent Configuration

Registry Entry Name

Values

Registry Data Type

RebootWarning Timeout

RebootWarning TimeoutEnabled

Possible values: time in minutes, 1-30. Length, in minutes, of the restart warning countdown after installing updates with a deadline or scheduled updates.

Possible values: 0 or 1 0: Disable custom RebootWarningTimeout (use the default value of 5 minutes). 1: Enable Reboot WarningTimeout.

RescheduleWaitTime Possible values: time in minutes, 1-60. Time, in minutes, that Automatic Updates should wait at startup before applying updates from a missed scheduled installation time. Note that this policy applies only to scheduled installations, not deadlines. Updates whose deadlines have expired should always be installed as soon as possible.

Reg_DWORD

Reg_DWORD

Reg_DWORD

RescheduleWait TimeEnabled

Possible values: 0 or 1 0: Disable Reschedule WaitTime.

1: Enable RescheduleWait Time

Reg_DWORD

Continued

Table 9.4 continued Registry Entries for Automatic Update Agent Configuration

Registry Entry Name

Values

Registry Data Type

ScheduledInstallDay Possible values: 0-7 0: Every day.

1 through 7: The days of the week from Sunday (1) to Saturday (7). This policy is only valid if AUOptions equals 4.

Possible values: time of day in 24-hour format, 0-23.

ScheduledInstall Time

UseWUServer

The WUServer value is not respected unless this key is set.

Reg_DWORD

Reg_DWORD

Reg_DWORD

Best Practices According to Microsoft_

If your organization has an Active Directory domain, configure multiple computers using GPOs. Microsoft recommends that you create a new GPO that contains only WSUS settings. Link the new WSUS GPO to the appropriate Organizational Units (OUs) within the Active Directory domain(s) being managed by WSUS. Create as many GPOs as needed to cover the variations in client configuration in your deployment.

Some Independent Advice_

Managing WSUS through GPOs is effective and simple. If you want advanced control of WSUS, however, or if the computers you want to manage are not members of an Active Directory domain, Microsoft provides a software development kit (SDK) available for download on its site. The SDK exposes a Component Object Model (COM)-based API for managing both client computers and WSUS servers. If you are familiar with scripting against COM objects or have development experience with VisualBasic.NET, the SDK provides a powerful and extremely granular interface to manage your WSUS environment.

The WSUS SDK includes some samples that demonstrate the flexibility of the API, and can be downloaded from www.microsoft.com/windowsserversystem/ updateservices/downloads/default.mspx.

Was this article helpful?

0 0

Responses

  • Franco
    How to import computer group to update management?
    8 months ago
  • jere
    What can you do with WSUS computer groups?
    6 months ago
  • dorothy huffman
    How to automatically move a computer in a different group in windows update service?
    23 days ago

Post a comment