4 Replies Latest reply on Sep 23, 2014 10:45 AM by sz-a

    How to seperate update and no-update systems?

    sz-a

      How I should control and fine tune updates to systems?

       

      Structure:

      - Computers (Clients/Servers) in AD --> WSUS is configured or disabled per different GPOs on different OUs

      - Updates on WSUS are approved on every WSUS (using the Patch Manager Console) to Computer groups ("Test", "Server", "Clients") or the group "All Computers"

       

      I have an Update (Java 7u67 x64) which would apply to all 64bit machines but should only be installed on systems in a subgroup of the WSUS-Group "Clients". (so it is configured at the moment)

      But now in the other groups the update is shown as needed, not installed and not approved for the 64bit systems of this groups.

       

      Do I only have to decline the update to this groups?

        • Re: How to seperate update and no-update systems?
          Lawrence Garvin

          Create a subgroup of "Clients" called "Java". Approve the JRE7u67 x64 update for the "Java" group, and *ADD* the necessary clients to that group.

           

          For the computers in the other groups that report as needed, ignore them.

           

          HINT: If only some computers require this update, it's more likely that you should be publishing/approving the JRE 7x67 (x64) (Upgrade) package.

          If you publish the Upgrade package, systems that do not have JRE installed will not report it as needed.

            • Re: How to seperate update and no-update systems?
              sz-a

              Lawrence Garvin wrote:

              Create a subgroup of "Clients" called "Java". Approve the JRE7u67 x64 update for the "Java" group, and *ADD* the necessary clients to that group.

              This I did already. By the way: The necessary client should be in both groups (in the example "Java" and "clients")? I thought the group "java" inherits all approvals from the upper group "clients"?

              Lawrence Garvin wrote:

              For the computers in the other groups that report as needed, ignore them.

              And this is what I want: How do I ignore updates on a group? Or do you mean I have to ignore this behavior, that updates I don't want to install are showing yellow?

                • Re: How to seperate update and no-update systems?
                  Lawrence Garvin

                  By the way: The necessary client should be in both groups (in the example "Java" and "clients")? I thought the group "java" inherits all approvals from the upper group "clients"?

                  That is correct. The subgroup does inherit update approvals, and you could simply move the client from the parent group to the "Java" group.

                   

                  How do I ignore updates on a group? Or do you mean I have to ignore this behavior, that updates I don't want to install are showing yellow?

                  I'm saying that if you use the correct update package, only the clients that have Java already installed will report the update as NotInstalled. The clients that do not have Java installed will report the update as NotApplicable.

                    • Re: How to seperate update and no-update systems?
                      sz-a


                      So I should change the way I install software?  Until now I use the non-upgrade packages to install updates to all systems in different group (old systems which have and new systems which don't have any 3rd party software installed). Using the upgrade packages would mean that I have to preinstall systems with all needed 3rd party software.

                       

                      In theory I could manually run a management task which installs one or more not approved non-upgrade packages to new systems. But the publishing of the package to wsus leeds to the point where clients without the package "need" them.

                      • If a client is member of a wsus-group, it should get all 3rd party updates of the group (or install if not installed)
                      • If a client is member of another wsus-group (where a package is not approved) all not approved install packages should not be needed

                       

                      ... Another idea: I misunderstand the WSUS use: All published packages are needed if the package requirements meet the clients configuration (for example: Java x32 for x64 package --> client x64 OS), right? The check, if a software in a older version is already installed (by search for a reg-key) is also a "package requirement". So all updates which are not installed and not approved are left in status needed. Then there is no way to define "package x has not to be installed on client group y" ... Or "package x has only needed and to be installed in client group y, whether it is installed or not"?