MrWu (26th March 2012)
Maybe a really silly question
A WSUS policy was set on the default domain policy which encompasses servers and workstations(not ideal) the server that this policy points to no longer exists and I have already built a brand new WSUS server ready to roll, main goal as well as updates, is to accomodate Forefront AV auto updates.
I want to either remove the entry in default domain policy (and create a new GPO with the new WSUS server to apply to PCs - servers i will rather handle manually for updates)
Or change the existing entry to point to the new WSUS server, however, that does not give me two seperate policies for servers or workstations?
I'm mindful however, if i remove the existing default domian policy WSUS setting my servers might revert to download updates automatically with interesting consequences!
Also am I right in saying even if the GPO points the machines to the correct WSUS server it wont apply updates until I assign these machines to a WSUS group and approve updates in the host WSUS server(this would be ideal, i want some control and only want the workstations updated by WSUS for now. Ie Servers can sty in the unassigned group. For example.
Hope this makes sense but i guess my piority is to get worstations PCs to automatically update forefront definitions from WSUS server for easter, and do windows updates that are approved in seperate WSUS groups. Servers i would rather be manually done for now.
Any advice ould be appreciated.
Yeah, you're going about it the right way. I would avoid putting anything in the Default Domain Policy that isn't absolutely essential, so a separate GPO for your WSUS settings is the way to go. It gives you more flexibility in future if you want to adjust the settings for different OUs, groups, etc.
I wouldn't worry too much about the computers going "rogue" if you remove the WSUS settings from the Default Domain Policy - just make a new GPO with your WSUS settings and apply it to the appropriate OUs. Settings in GPOs at the OU level take precedent over the Default Domain Policy, so you'll be able to tell there and then if the computers are looking to the new update source, before you even remove the obsolete settings.
Anyway, yes, you are (more or less) correct that until you assign managed computers to a group within WSUS and approve updates for those groups, the computers won't download and install updates. You can approve updates for computers within the "Unassigned" group if you want, but using proper groups within WSUS is a more sensible approach.
Last edited by tigerstar; 26th March 2012 at 05:46 PM.
MrWu (26th March 2012)
There are currently 1 users browsing this thread. (0 members and 1 guests)