Yep, I know that's the "normal" way to do it, lots of you guys, and myself where I was before, do it that way. But, my sup here wants to be able to schedule the updates, install them, but NOT reboot. He then wants a report, that tells us what servers are pending a reboot due to the updates, so we can schedule those reboots.
>>> "James Kerr" <[email protected]> 10/8/2009 10:53 AM >>> I have a WSUS GPO for servers, they are set to auto download and notify for install. Workstations GPO is auto download and schedule the install. ----- Original Message ----- From: "Joseph Heaton" <[email protected]> To: "NT System Admin Issues" <[email protected]> Sent: Thursday, October 08, 2009 1:43 PM Subject: Re: Patch management software question, again... Ben, How can you tell it not to reboot the server? The only setting I've found is the GP setting which tells it not to automatically reboot if there's a user logged in. >>> Ben Scott <[email protected]> 10/8/2009 9:09 AM >>> On Thu, Oct 8, 2009 at 11:30 AM, Joseph Heaton <[email protected]> wrote: > The reasons we're moving away from Shavlik are: > 1) Price increased dramatically. ... > 2) ... it would reboot the box, even if you told it not to. ... > ... if I can get WSUS to do what I want, combined with Group Policy ... I'm pretty sure WSUS will do all that. You can't beat the price. It's limited to Microsoft products only, of course. (I've seen a third-party product that was supposed to add fourth-party updates to WSUS, but never tried it.) WUAU: Windows Update Auto Update. This is the thing that sits in the background, checking for updates, downloading them, and installing them, depending on options and commands. By default, it looks to Microsoft's public servers for updates, but you can change that to look to your WSUS server. WSUS: Windows Software Update Services. You run a WSUS server. It acts as a local repository/mirror of updates, distributes them to WUAU clients, collects reporting information from clients, and maintains its management database. WSUS management UI: You can approve updates for just detection (reporting as needed), or installation. You can put computers in groups. You approve patches differently for each group. You can set groups to auto-approve updates. It can give you reports on update installation status, by computer or by update. Some other things. Group Policy gives you: Central configuration of WUAU. Just notify on patches, or download and prompt for install, or automatically install (same options as for the stand-alone client WUAU GUI). What WSUS server to use. When to attempt detect/install. Prompt the user to reboot or not. Some other things. We have our WSUS server set to auto-approve critical updates. Clients are set to detect/install every night at 3 AM. If the computer is off at 3 AM, it runs the detect/install as soon as the computer starts. Reboots are forced, with a 5 minute countdown displayed on the screen. Users can tell it to reboot sooner if they don't want to wait, but they can't defer it. Servers are set to detect and download and notify, but not auto install. We manually log into servers and run the updates. We only have a few servers, so this works for us. WSUS is actually a pretty good solution, I think, given the price of viable alternatives. Of course, most alternatives support non-Microsoft products, too, so that's not really the same thing. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
