I have a WSUS GPO for servers, they are set to auto download and notify for
install. Workstations GPO is auto download and schedule the install.
----- Original Message -----
From: "Joseph Heaton" <jhea...@dfg.ca.gov>
To: "NT System Admin Issues" <ntsysadmin@lyris.sunbelt-software.com>
Sent: Thursday, October 08, 2009 1:43 PM
Subject: Re: Patch management software question, again...
Ben,
How can you tell it not to reboot the server? The only setting I've found
is the GP setting which tells it not to automatically reboot if there's a
user logged in.
Ben Scott <mailvor...@gmail.com> 10/8/2009 9:09 AM >>>
On Thu, Oct 8, 2009 at 11:30 AM, Joseph Heaton <jhea...@dfg.ca.gov> wrote:
The reasons we're moving away from Shavlik are:
1) Price increased dramatically. ...
2) ... it would reboot the box, even if you told it not to. ...
... if I can get WSUS to do what I want, combined with Group Policy ...
I'm pretty sure WSUS will do all that. You can't beat the price.
It's limited to Microsoft products only, of course. (I've seen a
third-party product that was supposed to add fourth-party updates to
WSUS, but never tried it.)
WUAU: Windows Update Auto Update. This is the thing that sits in
the background, checking for updates, downloading them, and installing
them, depending on options and commands. By default, it looks to
Microsoft's public servers for updates, but you can change that to
look to your WSUS server.
WSUS: Windows Software Update Services. You run a WSUS server. It
acts as a local repository/mirror of updates, distributes them to WUAU
clients, collects reporting information from clients, and maintains
its management database.
WSUS management UI: You can approve updates for just detection
(reporting as needed), or installation. You can put computers in
groups. You approve patches differently for each group. You can set
groups to auto-approve updates. It can give you reports on update
installation status, by computer or by update. Some other things.
Group Policy gives you: Central configuration of WUAU. Just notify
on patches, or download and prompt for install, or automatically
install (same options as for the stand-alone client WUAU GUI). What
WSUS server to use. When to attempt detect/install. Prompt the user
to reboot or not. Some other things.
We have our WSUS server set to auto-approve critical updates.
Clients are set to detect/install every night at 3 AM. If the
computer is off at 3 AM, it runs the detect/install as soon as the
computer starts. Reboots are forced, with a 5 minute countdown
displayed on the screen. Users can tell it to reboot sooner if they
don't want to wait, but they can't defer it.
Servers are set to detect and download and notify, but not auto
install. We manually log into servers and run the updates. We only
have a few servers, so this works for us.
WSUS is actually a pretty good solution, I think, given the price of
viable alternatives. Of course, most alternatives support
non-Microsoft products, too, so that's not really the same thing.
-- Ben
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
