Configuring location based GPO for WSUS updates but only for some clients

windows-update windows-server-2008-r2 group-policy wsus

You need multiple GPOS.

  1. Create 1 GPO to download using the WSUS server. Apply this to the site.
  2. Create a group containing the computers that you want to auto update
  3. create a GPO that sets the WSUS to auto install. Apply security filtering to the GPO that only lets the group in set 2 apply the policy. Apply this (as second priority to the GPO in step 1) to the site.

As far as connecting to WU, You need to have a company policy that remote users VPN in at some interval, to facilitate updates. create a replica server in your DMZ with no content so the systems will get the content from the microsoft update servers (so you won't need to be connected to the VPN to get the updates


I've done this with wsus and found that odd things go wrong. Do you want to use wsus to approve the updates but download from MS?

I set up something like this where the main office had its own wsus server and PCs in the branch offices had a secondary wsus server. The secondary server was configured not to download anything and the approvals were chained from the main server. I used GPO's to assign PC's to one or the other.

What I found what that users who took their laptops to the main office would show up once on the main server and never be able to connect to the secondary wsus server. I would have to delete the node from the main one to allow it to sync.

The same would occur for people who went to a branch office with their laptop.

Once a PC has contacted a particular wsus node it appears to 'stick' and you cannot switch over to another one.... but not always. Often this would correct itself. As far as I know this should work but I kept finding nodes which had not updated in months. Deleting the node in wsus would solve the issue.

in short - it didn't work well at all.

When people were offsite (but connected by vpn) the gpos should have directed the users directly to MS - but I would find that they would keep applying the old GPOs, sometimes for months before a gpupdate/force would correct the situation. This is a group policy problem but I never did find out why this occurred.

I switched over to a single server which feeds out the patches to everyone. Guess what? Noone noticed the difference but everything works perfectly.

Related

realtime sync of files between instances
Selecting a webserver configuration
Is it possible to filter/edit web content using Apache/Nginx/Lighttpd?
How to test and actually perform a transfer of an internet domain to a new server regarding mail?
Cisco ASA 5505 Voice/Data VLANs not pinging/routing
How can I increase the size of a RAID 1 array from 750GB to 1TB? 3ware
Office network failover? [duplicate]
How to activate quota for users on folders?
Setting up httpd-vhosts.conf for multiple virtual hosts
Connecting Linux system to switch from 2 interfaces
www+https redirection does not work even though redirection has been added in .htaccess file [duplicate]
Create Firebird 3 VPN/secure connection