Windows Update fallback
Simn
We have some people who can be away for a couple of months...
Is there a way to set up the clients so that if they can't contact one WSUS,
they get e.g. critical and security updates from another server (e.g.
Microsoft Update on internet)?
Cheers.
Lawrence Garvin (MVP)
news:E119CA12-70EE-4060...@microsoft.com...
There is no facility for either/or, or a 'fallback' scenario in WSUS v2.
The best you can do is disable the policy "Specify intranet Microsoft update
service location", which will force those clients to use "Automatic Updates"
for the duration of their absence. In that scenario, they will obtain and
install ALL critical and security updates. You will have no abilty to choose
which updates are installed.
--
Lawrence Garvin, M.S., MCTS, MCP
Independent WSUS Evangelist
MVP-Software Distribution (2005-2007)
https://mvp.support.microsoft.com/profile=30E00990-8F1D-4774-BD62-D095EB07B36E
Everything you need for WSUS is at
http://technet2.microsoft.com/windowsserver/en/technologies/featured/wsus/default.mspx
And, almost everything else is at
http://wsusinfo.onsitechsolutions.com
....
Jordan
interact the same way with WindowsUpdate.microsoft.com as it does with an
WSUS? If so, couldn't Simn put a DNS or hosts entry on their network to say
that windowsupdate.microsoft.com is the IP of their WSUS update server and
set their group policies to update at windowsupdate.microsoft.com?
If they could, then the client would update at MS and on the Intranet and
the downside would be that they admin could not "approve" updates because as
soon as the client left the internal network they would get all the
unapproved updates.
Naturally the WSUS update server would have to have the correct info.
Again, don't know the answer.
"Lawrence Garvin (MVP)" <onsi...@community.nospam> wrote in message
news:uBSCsgXb...@TK2MSFTNGP06.phx.gbl...
Lawrence Garvin (MVP)
news:u5rP$$7bHHA...@TK2MSFTNGP04.phx.gbl...
>I don't know the answer to this, but does the automatic update client
>interact the same way with WindowsUpdate.microsoft.com as it does with an
>WSUS?
Absolutely. Exactly the same way. You can think of WU/MU as just a "WSUS
site" with 100% of the updates approved for installation.
> If so, couldn't Simn put a DNS or hosts entry on their network to say that
> windowsupdate.microsoft.com is the IP of their WSUS update server and set
> their group policies to update at windowsupdate.microsoft.com?
Why would you muck with faking a DNS entry and placing an incorrect URL
policy in the system, when my suggested fix is exactly the correct (read:
Documented) way to accomplish the desired objective?
Disabling the "Specify intranet Microsoft update service location" policy,
causes the registry value "UseWUServer" to be reset to dword:0x0, which
causes the WUA to ignore the custom URLs pointing to the local WSUS server,
at which point the WUA then uses the =hardcoded= URLs to access the correct
URL at microsoft.com.
Furthemore, the policy then reflects, accurately, what the intent of the
client-side behavior should be. (i.e. Update from microsoft.com, not the
WSUS server.)
> If they could, then the client would update at MS and on the Intranet and
> the downside would be that they admin could not "approve" updates because
> as soon as the client left the internal network they would get all the
> unapproved updates.
Yep... that's the downside of the scenario regardless of the methodology
used.
In addition, if one points windowsupdate.microsoft.com to an internal IP
Address using internal DNS or hosts files, how is a client system supposed
to get to the =real= windowsupdate.microsoft.com website when they need to
access WU/MU directly to install optional software updates?