0

I have 2 GPOS on my W2K3 domain: 1 is for the servers, where AU is disabled the 2nd GPO is for desktop, where AU is enabled (with limitations - NA for the question).

I manage my AU's using Microsoft's WSUS. The question I have, If I mark an update, as approved to all computers, does the GPO takes presedence? or once I approved it to all, the AU will be installed on the server? even that it's GPO for AU is disabled?

I am asking, as I want to have some AU's automatically installed, and can't see how to Approve for desktops only.

thanks

Saariko
  • 1,791
  • 13
  • 45
  • 73
  • 1
    Please check if this answer applies to you http://serverfault.com/questions/64258/wsus-vs-gpo-what-policy-takes-precedence – Sergei Dec 28 '11 at 12:20
  • IT does clear a point, but raises other: If I disable AU for my servers in GPO, and I manage my AU's with WSUS (Isn't that how it should be?) than if by mistake, I select to approve a patch to the servers - They will deploy? That's bad. That's why I have the GPO - to DISABLE AU's. – Saariko Dec 28 '11 at 12:28
  • Besides technicalities, I would pay attention how it is possible to make this mistake in a first place.If you have servers and workstations in the separate groups in WSUS this should be quite hard. – Sergei Dec 28 '11 at 12:36

1 Answers1

1

WSUS only offers updates to machines that have registered with the server and that ask for updates. If you servers don't talk to the wsus server they will NEVER get any updates from it. And you already made sure of that using group policies. In fact: A group policy is the only way to tell a client that it needs to talk to the WSUS server. So if you don't tell the computer about your WSUS it will not use it EVER.

Check in WSUS under the section "clients" which PC's it knows about. You should only see your desktops there if everything is setup correctly.

Please don't forget: The WSUS server itself should be kept current with ALL updates that apply to WSUS.

Tonny
  • 6,252
  • 1
  • 17
  • 31