Somewhere between the physical and the virtual
We've heard it from you! You've been using WSUS for years and you have been using different Windows Update settings for your clients and servers. Maybe you want your clients to automatically download and install approved updates, but your servers should only download and notify the administrator. Now you can with System Center Essentials 2010 using the same approach you used with WSUS! Check out this excerpt from the Essentials 2010 Operations Guide.
How to Create Custom Update Settings for Client and Server Computers in Essentials
System Center Essentials 2010 uses Group Policy to configure the Windows Update agent to receive updates from the Essentials management server. These settings apply to all computers managed by Essentials unless you create a new Group Policy object (GPO) to customize the update settings. This section provides information about the default Windows Update agent settings and instructions on creating a GPO to apply to a specific group of computers, such as clients or servers, with customized Windows Update settings.
Default Windows Update Agent Settings in Essentials 2010
The default Windows Update settings used by Essentials are shown in the following table.
Windows Update Setting
Configure automatic updates
Configure automatic updating
4 (auto-download and schedule the install)
Scheduled install day
0 (every day)
Scheduled install time
Specify intranet Microsoft Update Service location
Intranet update server
Intranet statistics server
Allow signed content from intranet Microsoft Update service locations
No auto-restart for scheduled Automatic Updates installations
These settings are included in the SCE Managed Computers <management groupname> group policy object.
To customize Windows Update settings using a Group Policy Object
1. Create an Active Directory Group Policy object (GPO) in the same domain as the computers to which you want to apply customized settings. For more information, see “Create a Group Policy Object” in the Microsoft TechNet Library (http://go.microsoft.com/fwlink/?LinkId=161344).
2. Change the security filtering of the GPO from Authenticated Users to the SCE Managed Computers <management group name> security group. For more information, see “Assign Security Group Filters to the GPO” in the Microsoft TechNet Library (http://go.microsoft.com/fwlink/?LinkId=161346).
3. Link the Group Policy object to the organization units (OU) containing the computers to which you want to apply the customized Windows Update Agent settings. For more information, see “Link the GPO to the Domain” in the Microsoft TechNet Library (http://go.microsoft.com/fwlink/?LinkId=161347).
4. Edit the Windows Update Agent settings in the GPO.
5. After the group policy refresh interval has elapsed (every 90 minutes by default, with a random offset of 0 to 30 minutes) the computers with customized Windows Update Agent settings will be configured.
6. If you want to revert back to the original Windows Update settings configured by Essentials 2010, you can delete the customized GPO you created in step 1.
7. If you uninstall Essentials 2010, be sure to delete any customized GPOs you have created.
Supported Customizations to Windows Update Agent Settings in Essentials 2010
The supported customizations to Windows Update settings used by Essentials 2010 are shown in the following table. For more information, see “Configure Automatic Updates by Using Group Policy” in the Microsoft TechNet Library (http://go.microsoft.com/fwlink/?LinkId=161349).
Supported Customizable Value
Configure Automatic Updates
Configure Automatic Updating
Scheduled Install Day
Scheduled Install Time
Intranet Update Server
Intranet Statistics Server
Enable client-side targeting
Reschedule Automatic Update scheduled installation
Automatic Update detection frequency
Must be less than 24 hours
Allow Automatic Update Immediate Installation
Delay Restart for Scheduled Installations
Re-prompt for Restart with Scheduled Installations
Allow non-Administrators to Receive Update Notifications
Remove Links and Access to Windows Update
Tell us what you think! Please give us feedback in our managed forums on configuring different update settings for managed computer.
why these two articles are descripting two opposite operations ?
WOO HOOO just what I was looking for. I had assigned GPO's with different settings by SG.
Ok this is what I did:
I created new security group called SCE managed servers and added all my servers.
I created new gpo called SCE managed servers and filtered to apply only to the SCE managed servers security group.
Now what is happening is that system Center Essentials is adding the servers to the default SCE managed computers security group. I have removed the servers from the SCE managed computers security group but SCE adds them again every day.
My questions are:
* How can I stop system center essentials from re adding the servers to the default SCE managed computers group?
* What GPO is taking place for the servers, the one I created and filtered to the SCE managed servers group? or the default one filtered to the SCE managed computers group?
* Am I doing it right? all I want is to prevent the servers from restarting, downloading and installing updates automatically.
Thanks for you help!!!