Constant WSUS issues (Connection Errors)
-
ok so now I have 2 Windows 10 computers that showed up, out of the 7 I added to the test group. They show up under All Computers but not the Workstations group which I've added them to.. not sure why
-
@dave247 said in Constant WSUS issues (Connection Errors):
ok so now I have 2 Windows 10 computers that showed up, out of the 7 I added to the test group. They show up under All Computers but not the Workstations group which I've added them to.. not sure why
I believe the issue is with the security filtering on your GPOs, I do groups assignments by Computer OU instead.
-
@dbeato said in Constant WSUS issues (Connection Errors):
@dave247 said in Constant WSUS issues (Connection Errors):
ok so now I have 2 Windows 10 computers that showed up, out of the 7 I added to the test group. They show up under All Computers but not the Workstations group which I've added them to.. not sure why
I believe the issue is with the security filtering on your GPOs, I do groups assignments by Computer OU instead.
oh.. well that's the way I had it at first and it seemed to work (kinda). I was just following Tim_G's guide on SpiceWorks
-
Did you specify the WSUS group in the group policys?
-
@tim_g said in Constant WSUS issues (Connection Errors):
Did you specify the WSUS group in the group policys?
Yes, via the "Enable client side targeting" option
-
@dbeato said in Constant WSUS issues (Connection Errors):
@dave247 said in Constant WSUS issues (Connection Errors):
ok so now I have 2 Windows 10 computers that showed up, out of the 7 I added to the test group. They show up under All Computers but not the Workstations group which I've added them to.. not sure why
I believe the issue is with the security filtering on your GPOs, I do groups assignments by Computer OU instead.
So when you say you go group assignments by OU, do you mean that you aren't using the client side targeting at all, and therefore do not have your computers in any sort of AD group associated with WSUS? You just add the WSUS GPO to the OU you want it to apply to and computers just show up in the WSUS list and you can update them from there?
-
@dave247 said in Constant WSUS issues (Connection Errors):
@dbeato said in Constant WSUS issues (Connection Errors):
@dave247 said in Constant WSUS issues (Connection Errors):
ok so now I have 2 Windows 10 computers that showed up, out of the 7 I added to the test group. They show up under All Computers but not the Workstations group which I've added them to.. not sure why
I believe the issue is with the security filtering on your GPOs, I do groups assignments by Computer OU instead.
So when you say you go group assignments by OU, do you mean that you aren't using the client side targeting at all, and therefore do not have your computers in any sort of AD group associated with WSUS? You just add the WSUS GPO to the OU you want it to apply to and computers just show up in the WSUS list and you can update them from there?
Correct
-
@dave247 Yes. I apply an 'wsus' gpo to my Workstations OU. This gets all computers in the OU to show up in wsus. In wsus i make groups(local to wsus application) for grouping computers by OS.
-
@momurda said in Constant WSUS issues (Connection Errors):
@dave247 Yes. I apply an 'wsus' gpo to my Workstations OU. This gets all computers in the OU to show up in wsus. In wsus i make groups(local to wsus application) for grouping computers by OS.
Damn, that sounds like a much better approach. That way I don't have to add the extra step of adding all my computers to an additional AD group. So is this just a matter of not configuring the "Enable client-side" targeting option? I'm only asking because it seems like it's taking WSUS a long time before computers show up. It took like 2 days before 3 out of 7 systems showed up under the All Computers group..
-
@dave247 said in Constant WSUS issues (Connection Errors):
@momurda said in Constant WSUS issues (Connection Errors):
@dave247 Yes. I apply an 'wsus' gpo to my Workstations OU. This gets all computers in the OU to show up in wsus. In wsus i make groups(local to wsus application) for grouping computers by OS.
Damn, that sounds like a much better approach. That way I don't have to add the extra step of adding all my computers to an additional AD group. So is this just a matter of not configuring the "Enable client-side" targeting option? I'm only asking because it seems like it's taking WSUS a long time before computers show up. It took like 2 days before 3 out of 7 systems showed up under the All Computers group..
Group assigments take faster to apply than OUs.
-
@dbeato said in Constant WSUS issues (Connection Errors):
@dave247 said in Constant WSUS issues (Connection Errors):
@momurda said in Constant WSUS issues (Connection Errors):
@dave247 Yes. I apply an 'wsus' gpo to my Workstations OU. This gets all computers in the OU to show up in wsus. In wsus i make groups(local to wsus application) for grouping computers by OS.
Damn, that sounds like a much better approach. That way I don't have to add the extra step of adding all my computers to an additional AD group. So is this just a matter of not configuring the "Enable client-side" targeting option? I'm only asking because it seems like it's taking WSUS a long time before computers show up. It took like 2 days before 3 out of 7 systems showed up under the All Computers group..
Group assigments take faster to apply than OUs.
oh I see.. like a lot faster? Like instantly? I'm totally new to WSUS...
-
@dave247 said in Constant WSUS issues (Connection Errors):
@dbeato said in Constant WSUS issues (Connection Errors):
@dave247 said in Constant WSUS issues (Connection Errors):
@momurda said in Constant WSUS issues (Connection Errors):
@dave247 Yes. I apply an 'wsus' gpo to my Workstations OU. This gets all computers in the OU to show up in wsus. In wsus i make groups(local to wsus application) for grouping computers by OS.
Damn, that sounds like a much better approach. That way I don't have to add the extra step of adding all my computers to an additional AD group. So is this just a matter of not configuring the "Enable client-side" targeting option? I'm only asking because it seems like it's taking WSUS a long time before computers show up. It took like 2 days before 3 out of 7 systems showed up under the All Computers group..
Group assigments take faster to apply than OUs.
oh I see.. like a lot faster? Like instantly? I'm totally new to WSUS...
Like 5 to 10 minutes.
-
@dave247 said in Constant WSUS issues (Connection Errors):
@dbeato said in Constant WSUS issues (Connection Errors):
@dave247 said in Constant WSUS issues (Connection Errors):
@momurda said in Constant WSUS issues (Connection Errors):
@dave247 Yes. I apply an 'wsus' gpo to my Workstations OU. This gets all computers in the OU to show up in wsus. In wsus i make groups(local to wsus application) for grouping computers by OS.
Damn, that sounds like a much better approach. That way I don't have to add the extra step of adding all my computers to an additional AD group. So is this just a matter of not configuring the "Enable client-side" targeting option? I'm only asking because it seems like it's taking WSUS a long time before computers show up. It took like 2 days before 3 out of 7 systems showed up under the All Computers group..
Group assigments take faster to apply than OUs.
oh I see.. like a lot faster? Like instantly? I'm totally new to WSUS...
Normally whatever the normal time that your PCs refresh their GPO's.. I think the default is around 15 mins.
-
@dashrender said in Constant WSUS issues (Connection Errors):
@dave247 said in Constant WSUS issues (Connection Errors):
@dbeato said in Constant WSUS issues (Connection Errors):
@dave247 said in Constant WSUS issues (Connection Errors):
@momurda said in Constant WSUS issues (Connection Errors):
@dave247 Yes. I apply an 'wsus' gpo to my Workstations OU. This gets all computers in the OU to show up in wsus. In wsus i make groups(local to wsus application) for grouping computers by OS.
Damn, that sounds like a much better approach. That way I don't have to add the extra step of adding all my computers to an additional AD group. So is this just a matter of not configuring the "Enable client-side" targeting option? I'm only asking because it seems like it's taking WSUS a long time before computers show up. It took like 2 days before 3 out of 7 systems showed up under the All Computers group..
Group assigments take faster to apply than OUs.
oh I see.. like a lot faster? Like instantly? I'm totally new to WSUS...
Normally whatever the normal time that your PCs refresh their GPO's.. I think the default is around 15 mins.
ah. Well I usually never wait, lol. Just remote in and run gpupdate /force or even run it on the OU through GPMC
-
@dave247 said in Constant WSUS issues (Connection Errors):
@dashrender said in Constant WSUS issues (Connection Errors):
@dave247 said in Constant WSUS issues (Connection Errors):
@dbeato said in Constant WSUS issues (Connection Errors):
@dave247 said in Constant WSUS issues (Connection Errors):
@momurda said in Constant WSUS issues (Connection Errors):
@dave247 Yes. I apply an 'wsus' gpo to my Workstations OU. This gets all computers in the OU to show up in wsus. In wsus i make groups(local to wsus application) for grouping computers by OS.
Damn, that sounds like a much better approach. That way I don't have to add the extra step of adding all my computers to an additional AD group. So is this just a matter of not configuring the "Enable client-side" targeting option? I'm only asking because it seems like it's taking WSUS a long time before computers show up. It took like 2 days before 3 out of 7 systems showed up under the All Computers group..
Group assigments take faster to apply than OUs.
oh I see.. like a lot faster? Like instantly? I'm totally new to WSUS...
Normally whatever the normal time that your PCs refresh their GPO's.. I think the default is around 15 mins.
ah. Well I usually never wait, lol. Just remote in and run gpupdate /force or even run it on the OU through GPMC
Then it should be within a few mins (under 5) before they show up in WSUS.
-
Make sure under Delegation tab, you have Authenticated Users with Read Permissions for your Policy. Especially if you removed it from the Security Filtering.
-
@dbeato said in Constant WSUS issues (Connection Errors):
@dave247 said in Constant WSUS issues (Connection Errors):
@momurda said in Constant WSUS issues (Connection Errors):
@dave247 Yes. I apply an 'wsus' gpo to my Workstations OU. This gets all computers in the OU to show up in wsus. In wsus i make groups(local to wsus application) for grouping computers by OS.
Damn, that sounds like a much better approach. That way I don't have to add the extra step of adding all my computers to an additional AD group. So is this just a matter of not configuring the "Enable client-side" targeting option? I'm only asking because it seems like it's taking WSUS a long time before computers show up. It took like 2 days before 3 out of 7 systems showed up under the All Computers group..
Group assigments take faster to apply than OUs.
Not really, sometimes they show up instantly, other times they do not. I don't know why, but one way is not faster than the other. It just does not work like that.
When I set up a new computer, it always shows up in WSUS instantly and in the correct WSUS group. When I set an old existing computer, it typically shows up instantly.
But you have to have eveyrthing set up correctly.
-
@dave247 said in Constant WSUS issues (Connection Errors):
@momurda said in Constant WSUS issues (Connection Errors):
@dave247 Yes. I apply an 'wsus' gpo to my Workstations OU. This gets all computers in the OU to show up in wsus. In wsus i make groups(local to wsus application) for grouping computers by OS.
Damn, that sounds like a much better approach. That way I don't have to add the extra step of adding all my computers to an additional AD group. So is this just a matter of not configuring the "Enable client-side" targeting option? I'm only asking because it seems like it's taking WSUS a long time before computers show up. It took like 2 days before 3 out of 7 systems showed up under the All Computers group..
I would have originally done it that way too... but we have way too many client computers and servers to go dicking around in WSUS console every time we add a computer to WSUS (especially after initial setup, F that repetitive crap). It's MUCH simpler to stick a computer or server in an AD group, and well... that's it! Nothing more to it than that.
Step one: Put computer or server into correct AD group.
Step two: Reboot or useklist -li 0x3e7then gpupdate.Done.
Everything else is 100% automated.
-
@tim_g said in Constant WSUS issues (Connection Errors):
@dave247 said in Constant WSUS issues (Connection Errors):
@momurda said in Constant WSUS issues (Connection Errors):
@dave247 Yes. I apply an 'wsus' gpo to my Workstations OU. This gets all computers in the OU to show up in wsus. In wsus i make groups(local to wsus application) for grouping computers by OS.
Damn, that sounds like a much better approach. That way I don't have to add the extra step of adding all my computers to an additional AD group. So is this just a matter of not configuring the "Enable client-side" targeting option? I'm only asking because it seems like it's taking WSUS a long time before computers show up. It took like 2 days before 3 out of 7 systems showed up under the All Computers group..
I would have originally done it that way too... but we have way too many client computers and servers to go dicking around in WSUS console every time we add a computer to WSUS (especially after initial setup, F that repetitive crap). It's MUCH simpler to stick a computer or server in an AD group, and well... that's it! Nothing more to it than that.
Step one: Put computer or server into correct AD group.
Step two: Reboot or useklist -li 0x3e7then gpupdate.Done.
Everything else is 100% automated.
Ok you sweet talked me back into doing it that way. Do you have a separate AD group and GPO for each type of Windows OS (Windows 7, 8.1, 10; Server 2012, etc)?
And I found out why I wasn't seeing machines show up right away. Status had "Failed or Needed" selected by default and when I changed it to "any" I can now see all the computers that have the WSUS GPO applied to them. Now I just need to finish reading through the guide so I can learn the right way of going about approving and installing updates..
Also, do you use that
klist -li 0x3e7on the system needing the update remotely through Powershell or what? I'm just asking because I always discover that I've been doing things the idiot way..Also also, do you guys suggest downloading drivers as well? We also have a handful of SQL servers, should I include SQL Service Packs for those or is that something I should just do manually, to avoid problems?
Here's my classification selections:
-
@dave247 said in Constant WSUS issues (Connection Errors):
@tim_g said in Constant WSUS issues (Connection Errors):
@dave247 said in Constant WSUS issues (Connection Errors):
@momurda said in Constant WSUS issues (Connection Errors):
@dave247 Yes. I apply an 'wsus' gpo to my Workstations OU. This gets all computers in the OU to show up in wsus. In wsus i make groups(local to wsus application) for grouping computers by OS.
Damn, that sounds like a much better approach. That way I don't have to add the extra step of adding all my computers to an additional AD group. So is this just a matter of not configuring the "Enable client-side" targeting option? I'm only asking because it seems like it's taking WSUS a long time before computers show up. It took like 2 days before 3 out of 7 systems showed up under the All Computers group..
I would have originally done it that way too... but we have way too many client computers and servers to go dicking around in WSUS console every time we add a computer to WSUS (especially after initial setup, F that repetitive crap). It's MUCH simpler to stick a computer or server in an AD group, and well... that's it! Nothing more to it than that.
Step one: Put computer or server into correct AD group.
Step two: Reboot or useklist -li 0x3e7then gpupdate.Done.
Everything else is 100% automated.
Ok you sweet talked me back into doing it that way. Do you have a separate AD group and GPO for each type of Windows OS (Windows 7, 8.1, 10; Server 2012, etc)?
We only have like 2 or 3 Win8 computers, and those are just set to automatically update.
AD Groups:
Group Policies:
WSUS Groups:
Note, I left out the Hyper-V Server stuff. I've been doing those manually since there's so few and they are fast.
