Constant WSUS issues (Connection Errors)
-
@black3dynamite said in Constant WSUS issues (Connection Errors):
@tim_g said in Constant WSUS issues (Connection Errors):
I wouldn't download all available updates. That's going to kill your available capacity.
Instead, set it to only download approved updates.
I've been doing WSUS for a long time. I really don't ever have to worry about it, other than approving updates manually. They can be set to be approved automatically, but I just can't yet.
How do you normally handle mobile users with WSUS?
We don't have any mobile users who are off-domain or never get on to the network, so they all eventually get updated.
Anyone who would be isolated from the domain and updating, is set to have automatic updates done when the device is given to them. If they don't update, they don't get back onto the network.
-
The ultimate goal is LANless, but it's a long process to get there when you have a lot of internal apps and things you can't give external access to. But we're moving to lanless / cloud as we can. Once we're there, the need for Windows gets slimmer and slimmer... then I'd go the dnf-automatic route
SodiumSuite comes to mind as well, even before reaching the LANless point.
-
delete me
-
Tim_G:
I finally got back to this and made those adjustments to my wsus resource pool and it seems to work now, so that's really good. However, I am stuck again with getting computers to show up in my wsus group. I have followed your guide and:
- Made a group in AD called "wsus workstations" and added some machines to test with
- Created a GPO called "wsus workstations policy" and changed security filtering to apply to the wsus workstations group
- Created a group in wsus called "workstations" and then pointed my wsus workstations policy GPO's "Enable client side targeting" and pointed it to the workstations wsus group.
I have not been able to see any of my computers show up.
EDIT: I've been thinking about it.. I'm not 100% clear on where to actually put my WSUS group policy. At first, I added it to a test OU which had some computers I put in there for testing. However, since I'm specified that the GPO is to apply to the wsus workstations group, I don't think it matters where I put it now, does it? My wsus workstations group is in a completely different OU than the workstations or the GPO. Its been a little while since I worked on group policy so I've just realized that I'm a bit rusty.. however, maybe this is part of why it's not working...
Also, I am thrown off by what you mean in this part of your guide:
NOTE: Updates will NOT install and your server will NOT reboot unless you go into the WSUS console, and specifically approve updates to the WSUS group you specified in this policy.
In simple terms, just make sure you do NOT approve updates in WSUS, and your servers/clients will be fine.It seems like you're saying both do and do not approve updates in wsus. I don't get it.
-
@dave247 said in Constant WSUS issues (Connection Errors):
I have not been able to see any of my computers show up.
If everything is set up correctly, it could take a while for computers to show up in WSUS, and show their update statuses.
Sometimes they show up fast, sometimes they take a day. But if it's set up correctly, they WILL eventually show up.
-
@dave247 said in Constant WSUS issues (Connection Errors):
I've been thinking about it.. I'm not 100% clear on where to actually put my WSUS group policy.
Put it where it will hit the computers it should be configuring. If you put the GPO in a test OU, then the computers must be in there too, somewhere under that OU in which you place the GPO.
-
@tim_g said in Constant WSUS issues (Connection Errors):
@dave247 said in Constant WSUS issues (Connection Errors):
I have not been able to see any of my computers show up.
If everything is set up correctly, it could take a while for computers to show up in WSUS, and show their update statuses.
Sometimes they show up fast, sometimes they take a day. But if it's set up correctly, they WILL eventually show up.
I set this up before a few weeks ago with a different server and I had computers show up and at that time I didn't even configure group policy or anything.. I will keep waiting though.
-
@dave247 said in Constant WSUS issues (Connection Errors):
@tim_g said in Constant WSUS issues (Connection Errors):
@dave247 said in Constant WSUS issues (Connection Errors):
I have not been able to see any of my computers show up.
If everything is set up correctly, it could take a while for computers to show up in WSUS, and show their update statuses.
Sometimes they show up fast, sometimes they take a day. But if it's set up correctly, they WILL eventually show up.
I set this up before a few weeks ago with a different server and I had computers show up and at that time I didn't even configure group policy or anything.. I will keep waiting though.
Whenever you apply computer group policy, or change a computers AD group membership (add/remove), you'll need to reboot the computer. Computer changes take effect during boot, user changes at login.
-
@tim_g said in Constant WSUS issues (Connection Errors):
@dave247 said in Constant WSUS issues (Connection Errors):
@tim_g said in Constant WSUS issues (Connection Errors):
@dave247 said in Constant WSUS issues (Connection Errors):
I have not been able to see any of my computers show up.
If everything is set up correctly, it could take a while for computers to show up in WSUS, and show their update statuses.
Sometimes they show up fast, sometimes they take a day. But if it's set up correctly, they WILL eventually show up.
I set this up before a few weeks ago with a different server and I had computers show up and at that time I didn't even configure group policy or anything.. I will keep waiting though.
Whenever you apply computer group policy, or change a computers AD group membership (add/remove), you'll need to reboot the computer. Computer changes take effect during boot, user changes at login.
There's always
klist -li 0x3e7 purge, but that's not 100% reliable, I've found. -
Does my SW guide have the common WSUS CLI commands on there? I forget.
-
@tim_g said in Constant WSUS issues (Connection Errors):
Does my SW guide have the common WSUS CLI commands on there? I forget.
Yes, it does.
-
@tim_g said in Constant WSUS issues (Connection Errors):
@dave247 said in Constant WSUS issues (Connection Errors):
@tim_g said in Constant WSUS issues (Connection Errors):
@dave247 said in Constant WSUS issues (Connection Errors):
I have not been able to see any of my computers show up.
If everything is set up correctly, it could take a while for computers to show up in WSUS, and show their update statuses.
Sometimes they show up fast, sometimes they take a day. But if it's set up correctly, they WILL eventually show up.
I set this up before a few weeks ago with a different server and I had computers show up and at that time I didn't even configure group policy or anything.. I will keep waiting though.
Whenever you apply computer group policy, or change a computers AD group membership (add/remove), you'll need to reboot the computer. Computer changes take effect during boot, user changes at login.
I usually just run cmd as admin and run gpupdate /force, which usually works. I also check with gpresult /h. That being said, I did reboot things in an attempt to get them working this time.. still no dice.
-
ok so now I have 2 Windows 10 computers that showed up, out of the 7 I added to the test group. They show up under All Computers but not the Workstations group which I've added them to.. not sure why
-
@dave247 said in Constant WSUS issues (Connection Errors):
ok so now I have 2 Windows 10 computers that showed up, out of the 7 I added to the test group. They show up under All Computers but not the Workstations group which I've added them to.. not sure why
I believe the issue is with the security filtering on your GPOs, I do groups assignments by Computer OU instead.
-
@dbeato said in Constant WSUS issues (Connection Errors):
@dave247 said in Constant WSUS issues (Connection Errors):
ok so now I have 2 Windows 10 computers that showed up, out of the 7 I added to the test group. They show up under All Computers but not the Workstations group which I've added them to.. not sure why
I believe the issue is with the security filtering on your GPOs, I do groups assignments by Computer OU instead.
oh.. well that's the way I had it at first and it seemed to work (kinda). I was just following Tim_G's guide on SpiceWorks
-
Did you specify the WSUS group in the group policys?
-
@tim_g said in Constant WSUS issues (Connection Errors):
Did you specify the WSUS group in the group policys?
Yes, via the "Enable client side targeting" option
-
@dbeato said in Constant WSUS issues (Connection Errors):
@dave247 said in Constant WSUS issues (Connection Errors):
ok so now I have 2 Windows 10 computers that showed up, out of the 7 I added to the test group. They show up under All Computers but not the Workstations group which I've added them to.. not sure why
I believe the issue is with the security filtering on your GPOs, I do groups assignments by Computer OU instead.
So when you say you go group assignments by OU, do you mean that you aren't using the client side targeting at all, and therefore do not have your computers in any sort of AD group associated with WSUS? You just add the WSUS GPO to the OU you want it to apply to and computers just show up in the WSUS list and you can update them from there?
-
@dave247 said in Constant WSUS issues (Connection Errors):
@dbeato said in Constant WSUS issues (Connection Errors):
@dave247 said in Constant WSUS issues (Connection Errors):
ok so now I have 2 Windows 10 computers that showed up, out of the 7 I added to the test group. They show up under All Computers but not the Workstations group which I've added them to.. not sure why
I believe the issue is with the security filtering on your GPOs, I do groups assignments by Computer OU instead.
So when you say you go group assignments by OU, do you mean that you aren't using the client side targeting at all, and therefore do not have your computers in any sort of AD group associated with WSUS? You just add the WSUS GPO to the OU you want it to apply to and computers just show up in the WSUS list and you can update them from there?
Correct
-
@dave247 Yes. I apply an 'wsus' gpo to my Workstations OU. This gets all computers in the OU to show up in wsus. In wsus i make groups(local to wsus application) for grouping computers by OS.
