When the WSUS isn't available
Q
On our domain we have a WSUS server and a policy setup to "Automatically
download recommended updates for my computer and install them" at a
particular time.
My question is if a person takes their laptop off the domain for 6 months,
will XP detect there is no access to the WSUS server and get the updates from
Microsoft?
Thanks
Quinton
![PA Bear [MS MVP]'s profile photo](http://lh3.googleusercontent.com/a-/ALV-UjXsf05hH-R8XChS3fXPPzfoO8FYYxAKhT86KfPnIELr3QJ9tQ=s40-c)
PA Bear [MS MVP]
(microsoft.public.windows.server.update_services) via crosspost as a
convenience to OP.
In your newsreader:
news://msnews.microsoft.com/microsoft.public.windows.server.update_services
]]
![Harry Johnston [MVP]'s profile photo](http://lh3.googleusercontent.com/a-/ALV-UjWpkBAPqvc839nzAtvH7xG03OwcxExyoyKpBgg3G7rKJeLEHQ=s40-c)
Harry Johnston [MVP]
>> Hi there,
>>
>> On our domain we have a WSUS server and a policy setup to "Automatically
>> download recommended updates for my computer and install them" at a
>> particular time.
>>
>> My question is if a person takes their laptop off the domain for 6
>> months,
>> will XP detect there is no access to the WSUS server and get the updates
>> from Microsoft?
No, it won't.
Harry.
Dave Mills
But it would be a nice enhancement to the product to be able to configure a
timeout (in days say) after which the client would revert to using WU/MU when
the WSUS server is still not contactable. For example if the WSUS server is not
contactable and the time since the last contact with the WSUS server is greater
than x days then go to WU/MU.
Maybe two timeouts would be even better. The short timeout would trigger a
download from WU/MU of previously approved updates that are simply waiting to
download the content. So if a laptop is connected for say 5 minutes and gets
told to download a lot of updates (SP's etc) but is then removed from the
network after a few days it would get the downloads from WU/MU and install them.
The long timeout would also go the WU/MU but set different approval options such
as 3. Download and Notify instead of 4. Scheduled install.
>
> Harry.
--
Dave Mills
There are 10 types of people, those that understand binary and those that don't.
Q
lost on where to post...
* Harry, thanks for the info!
Hey Dave, I've been given the task of coming up with a way to fix this issue
of laptops not getting updates when the professors go away for months at a
time.
I've basically created a start up script that detects if the IP address is
from our network or not.
If the laptop is not on the network then I delete 3 reg values.
reg delete
"HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /V
WUServer /f
reg delete
"HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v
WUStatusServer /f
reg delete
"HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /V
UseWUServer /f
When the laptop comes back on the domain it will get a gpupdate and the
laptop will receive the policy for WSUS.
It's still in the testing phase, but here is the script.
IPCONFIG > %temp%\TEMPIP.txt
findstr XXX.XXX %temp%\tempip.txt
IF errorlevel 1 GOTO :AWAY
ECHO On site!
GOTO :END
:AWAY
echo Off site
reg delete
"HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /V
WUServer /f
reg delete
"HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v
WUStatusServer /f
reg delete
"HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /V
UseWUServer /f
:END
I welcome any input anyone may have. I'm a beginner at scripting.
Thanks
Quinton
Lawrence Garvin [MVP]
news:ag5m355ivnlin90ci...@4ax.com...
>>> My question is if a person takes their laptop off the domain for 6
>>> months,
>>> will XP detect there is no access to the WSUS server and get the updates
>>> from Microsoft?
>>No, it won't.
> But it would be a nice enhancement to the product to be able to configure
> a
> timeout (in days say) after which the client would revert to using WU/MU
> when
> the WSUS server is still not contactable.
This is easily implemented. Create a scheduled task to run every 'x' days
that resets the registry value UseWUServer to dword:0x0. If group policy is
not being refreshed (as a result of a non-existent network/domain
connection), then the registry setting will remain in force, and the system
will revert to using Automatic Updates until the next group policy refresh
reverts that value to true, resetting the connection to the WSUS Server.
Or, perhaps the inverse is a better solution. Don't use group policy to
configure highly-mobile notebooks at all. Use a locally-stored startup
script that populates the registry conditionally based on whether the
machine is connected to the domain (a simple ping/response to the DC can
establish that). If not connected, set UseWUServer=dword:0x0 (Automatic
Updates), if it is connected, set UseWUServer=dword:0x1 (WSUS).
> So if a laptop is connected for say 5 minutes and gets
> told to download a lot of updates (SP's etc) but is then removed from the
> network after a few days it would get the downloads from WU/MU and install
> them.
The "best practice" for notebooks with a high probability of disconnects
from the corporate network is to configure a second WSUS Server with no
content store, thus forcing the notebook(s) to always obtain content from
microsoft.com.
--
Lawrence Garvin, M.S., MCITP:EA, MCDBA
Principal/CTO, Onsite Technology Solutions, Houston, Texas
Microsoft MVP - Software Distribution (2005-2009)
MS WSUS Website: http://www.microsoft.com/wsus
My Websites: http://www.onsitechsolutions.com;
http://wsusinfo.onsitechsolutions.com
My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
Lawrence Garvin [MVP]
news:E562BB60-77B9-43E2...@microsoft.com...
>* PA Bear, thanks for the move. This is only my 2nd time here, so I'm a bit
> lost on where to post...
> * Harry, thanks for the info!
>
> Hey Dave, I've been given the task of coming up with a way to fix this
> issue
> of laptops not getting updates when the professors go away for months at a
> time.
>
> I've basically created a start up script that detects if the IP address is
> from our network or not.
> If the laptop is not on the network then I delete 3 reg values.
The concept is valid....
> reg delete
> "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /V
> WUServer /f
> reg delete
> "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v
> WUStatusServer /f
> reg delete
> "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU"
> /V
> UseWUServer /f
But the execution is flawed.
The *correct* response in this code block should be merely to CHANGE the
value of UseWUServer to FALSE, thus "turning off" the use of WSUS. When
UseWUServer=dword:0x0, the values WUServer and WUStatusServer will be
ignored. Restoring use of WSUS is as simple as setting this value back to
true (dword:0x1).
> When the laptop comes back on the domain it will get a gpupdate and the
> laptop will receive the policy for WSUS.
Or, using Group Policy to reset the registry. :-)
Harry Johnston [MVP]
> This is easily implemented. Create a scheduled task to run every 'x'
> days that resets the registry value UseWUServer to dword:0x0. If group
> policy is not being refreshed (as a result of a non-existent
> network/domain connection), then the registry setting will remain in
> force, [...]
I'm not certain of this - group policy does get cached locally under some
circumstances, although I'm not sure of the details.
Harry.
Dave Mills
I would also expect that you would need to set the GPO to be applied even if not
changed. This would cause additional processing on every refresh. Without this
it would be easy to think the registry setting can be changed, some testing
would be necessary. I use this technique for setting the Proxy IP in IE and even
though the GPO is enforced if the registry is change it is not enforced until
back on the network. What the WSUS GPO wo9uld do would need to be determined by
testing.
Still not as neat as a WSUS configuration option though. I hate "smart" setups
as I assume they the ones most likely to change behaviour unexpectedly in a
future system implementation.
Q
Thanks so much for your responses!
I've got it working (in a test environment) now, but it looks like I can
tweak some things as well.
Thanks again!
Quinton
Q
Hi Lawrence, is there a way just to edit the dword via reg command? I've been
trying but I'm unsuccessful. I don't want to import anything...just alter the
value. Can you provide me with the correct syntax?
Thanks
Quinton.
Q
Never mind, I found my mistake. I was looking in the wrong spot, my path was
missing the "t' in /software. It was just a typo.
Lawrence Garvin [MVP]
> Hi Lawrence, is there a way just to edit the dword via reg command?
Yes.
> I've been
> trying but I'm unsuccessful. I don't want to import anything...just alter
> the
> value. Can you provide me with the correct syntax?
Pay special attention to the /f flag.
===========================================================
REG ADD KeyName [/v ValueName | /ve] [/t Type] [/s Separator] [/d Data] [/f]
KeyName [\\Machine\]FullKey
Machine Name of remote machine - omitting defaults to the
current machine. Only HKLM and HKU are available on
remote
machines.
FullKey ROOTKEY\SubKey
ROOTKEY [ HKLM | HKCU | HKCR | HKU | HKCC ]
SubKey The full name of a registry key under the selected
ROOTKEY.
/v The value name, under the selected Key, to add.
/ve adds an empty value name (Default) for the key.
/t RegKey data types
[ REG_SZ | REG_MULTI_SZ | REG_EXPAND_SZ |
REG_DWORD | REG_BINARY | REG_NONE ]
If omitted, REG_SZ is assumed.
/s Specify one character that you use as the separator in your data
string for REG_MULTI_SZ. If omitted, use "\0" as the separator.
/d The data to assign to the registry ValueName being added.
/f Force overwriting the existing registry entry without prompt.
===========================================================