System Center Essentials Team Blog

News and support on Microsoft SCE

You want different update deployment settings for servers and clients?

You want different update deployment settings for servers and clients?

  • Comments 3
  • Likes

We've heard it from you!  You've been using WSUS for years and you have been using different Windows Update settings for your clients and servers.  Maybe you want your clients to automatically download and install approved updates, but your servers should only download and notify the administrator.  Now you can with System Center Essentials 2010 using the same approach you used with WSUS!  Check out this excerpt from the Essentials 2010 Operations Guide.

How to Create Custom Update Settings for Client and Server Computers in Essentials

System Center Essentials 2010 uses Group Policy to configure the Windows Update agent to receive updates from the Essentials management server. These settings apply to all computers managed by Essentials unless you create a new Group Policy object (GPO) to customize the update settings. This section provides information about the default Windows Update agent settings and instructions on creating a GPO to apply to a specific group of computers, such as clients or servers, with customized Windows Update settings.

Default Windows Update Agent Settings in Essentials 2010

The default Windows Update settings used by Essentials are shown in the following table.

 

Windows Update Setting

Default Value

Configure automatic updates

Enabled

Configure automatic updating

4 (auto-download and schedule the install)

Scheduled install day

0 (every day)

Scheduled install time

03:00

Specify intranet Microsoft Update Service location

Enabled

Intranet update server

https://<SCEServer FQDN>:8531

Intranet statistics server

https://<SCEServer FQDN>:8531

Allow signed content from intranet Microsoft Update service locations

Enabled

No auto-restart for scheduled Automatic Updates installations

Enabled

 

These settings are included in the SCE Managed Computers <management groupname> group policy object.

To customize Windows Update settings using a Group Policy Object

1.   Create an Active Directory Group Policy object (GPO) in the same domain as the computers to which you want to apply customized settings. For more information, see “Create a Group Policy Object” in the Microsoft TechNet Library (http://go.microsoft.com/fwlink/?LinkId=161344).

2.   Change the security filtering of the GPO from Authenticated Users to the SCE Managed Computers <management group name> security group. For more information, see “Assign Security Group Filters to the GPO” in the Microsoft TechNet Library (http://go.microsoft.com/fwlink/?LinkId=161346).

3.   Link the Group Policy object to the organization units (OU) containing the computers to which you want to apply the customized Windows Update Agent settings. For more information, see “Link the GPO to the Domain” in the Microsoft TechNet Library (http://go.microsoft.com/fwlink/?LinkId=161347).

4.   Edit the Windows Update Agent settings in the GPO.

5.   After the group policy refresh interval has elapsed (every 90 minutes by default, with a random offset of 0 to 30 minutes) the computers with customized Windows Update Agent settings will be configured.

6.   If you want to revert back to the original Windows Update settings configured by Essentials 2010, you can delete the customized GPO you created in step 1.

7.   If you uninstall Essentials 2010, be sure to delete any customized GPOs you have created.

Supported Customizations to Windows Update Agent Settings in Essentials 2010

The supported customizations to Windows Update settings used by Essentials 2010 are shown in the following table. For more information, see “Configure Automatic Updates by Using Group Policy” in the Microsoft TechNet Library (http://go.microsoft.com/fwlink/?LinkId=161349).

 

Windows Update Setting

Supported Customizable Value

Configure Automatic Updates

Yes

Configure Automatic Updating

Yes

Scheduled Install Day

Yes

Scheduled Install Time

Yes

Specify intranet Microsoft Update Service location

No

Intranet Update Server

No

Intranet Statistics Server

No

Allow signed content from intranet Microsoft Update service locations

No

Enable client-side targeting

No

Reschedule Automatic Update scheduled installation

Yes

No auto-restart for scheduled Automatic Updates installations

Yes

Automatic Update detection frequency

Must be less than 24 hours

Allow Automatic Update Immediate Installation

Yes

Delay Restart for Scheduled Installations

Yes

Re-prompt for Restart with Scheduled Installations

Yes

Allow non-Administrators to Receive Update Notifications

Yes

Remove Links and Access to Windows Update

Yes

Tell us what you think! Please give us feedback in our managed forums on configuring different update settings for managed computer.

http://social.technet.microsoft.com/Forums/en-US/systemcenteressentials/thread/8ec91ecf-46b3-4ff7-ae3b-9a7757c8a0c5

 

Comments
  • why these two articles are descripting two opposite operations ?

    blogs.technet.com/.../you-want-different-update-deployment-settings-for-servers-and-clients.aspx

    blogs.technet.com/.../moving-from-wsus-to-system-center-essentials-be-sure-to-clean-up-your-group-policy-settings.aspx

  • WOO HOOO just what I was looking for. I had assigned GPO's with different settings by SG.

    thanks

  • Ok this is what I did:

    I created new security group called SCE managed servers and added all my servers.

    I created new gpo called SCE managed servers and filtered to apply only to the SCE managed servers security group.

    Now what is happening is that system Center Essentials is adding the servers to the default SCE managed computers security group. I have removed the servers from the SCE managed computers security group but SCE adds them again every day.

    My questions are:

    * How can I stop system center essentials from re adding the servers to the default SCE managed computers group?

    * What GPO is taking place for the servers, the one I created and filtered to the SCE managed servers group? or the default one filtered to the SCE managed computers group?

    * Am I doing it right? all I want is to prevent the servers from restarting, downloading and installing updates automatically.

    Thanks for you help!!!

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment