This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

EminentWare Compuer Groups vs. WSUS Computer Group

All,
I need to apply a 3rd party patch to a subset of machines within a WSUS computer group (a large one).  I would like to run the report which shows me the computers needing the update, and transfer those machines to a WSUS group, and gradually add groups of machines to this group which has the approved update (I do not want to apply this update to the whole org, yet).  I see where I can change EminentWare Compuer Groups for a batch of machines after running a query, but not WSUS groups.  Approvals are governed by WSUS groups and not EminentWare Groups, unless I’m missing an option?
My report is identifying the machines by software name and IP address (IP address giving me their physical locations, which drives the roll-out timeline).


I’ve done testing on the patch with a few vm’s, but I also want to do this roll-out slowly to see how it affects multiple user machines, over a few days.  Having them in a spate WSUS group will allow me to keep them isolated, and allow for easy identification and removal of the patch, should problems arise.  Once I catch these machines up to the rest of the org., I can roll them back into the larger WSUS group.


Am I approaching this the wrong way or missing any EminentWare options which would make this possible/easier?


Thank you.

  • Your approach is solid, and you are correct that approvals only apply to WSUS Target Groups.

    However, Patch Manager doesn't provide a way to manage WSUS Target Group memberships, except from an existing WSUS Target Group. So, you can use the report to identify the machines, but you'll need to select them from the existing group using Ctrl-Click in order to modify their existing group memberships.

    Another way you can approach this, though, is using the feature of the Update Management Wizard (UMW) to deploy a NotApproved update, by de-selecting the option to "include approved updates" on the options screen. Because the update is NotApproved, no client system can download/install the update on its own, but you can use the UMW to specifically target one or more systems for the installation of that update.

  • Tested using UMW with these options in the vm environment and it worked perfectly.  Also, I while not moving computers around in groups, I can still somewhat “keep up” with who is getting patched by using the task history (even exporting this list as a spreadsheet).  Should things go awry, I’ll at least have a list of what machines were patched.


    Thanks Lawarence.

  • Also, those systems will report the package as Installed, even though it's NotApproved.

    From the Third Party Updates view, select the update and use the Computer Summary tab to see the machines that have the update installed.

  • True.  In my particular case, I’m already seeing a lot of systems with this update that’s Not Approved, as this process was not really managed before.