- This topic has 2 replies, 2 voices, and was last updated 3 days, 19 hours ago by .
-
Posts
-
Hi, I have searched the forum and found only the GPO recommandation for windows update settings when combined with WSUS. We don’t use WSUS and would like to know the recommended GPO settings. Our previous settings were at “7 – auto download, notify to install, notify to restart”
we were successful at installing and rebooting the remote server but we also have the requirement to run the “usoclient startscan” and when the GPO was active it was not refreshing the display of current update status in the windows update dialog box (we have multiple admin connecting to server who don’t like to see pending update). What we did is we removed the GPO and it was working fine. The problem is without the GPO to force human intervention windows server decided yesterday that new update were available and it was a good idea to install and reboot everything last night. We were not prepared for that so I’m wondering what are the good settings for the GPO to best suit our needs.
Our GPO have these settings:
Configure auto restart… = Enable
Configure Automatic update = enable (set at 3 – auto download…)
Reschedule Automatic update… = Enable (10 minutes)
Configure Auto-restart warning… = Enable (2h reminder, warning 15 min)
Which settings do I really need to be able to install via BatchPatch and also be able to do a usoclient startscan ?Our recommended GPO settings for NO WSUS are here:
recommended-group-policy-settings-for-batchpatch-standalone-usage-with-no-wsus
Configure Automatic Updates should be set to either 2 or 3, depending on your preference.
The other settings are all up to you to decide which are best for your particular needs. We generally do not enable any of the other settings that you have mentioned, but whether or not you choose to enable other policies is of course up to you and your requirements and/or preferences.
The main thing that you seem to be asking about is the Windows Update UI in the OS. Unfortunately usoclient startscan is not supported by Microsoft to guarantee any particular operation, and it does not work consistently/reliably to refresh the UI. From what we have observed, the GPO status does not really matter. usoclient startscan will sometimes perform the refresh but other times will not, regardless of the GPO setting. I think in your case what you observed was that with certain GPO settings the UI is more regularly updated by the OS because those GPO settings were triggering the OS built-in Automatic Updates client to be more active, but of course you also experienced the downside of allowing Automatic Updates to be active, and your machines got updated and rebooted without you initiating it. Unfortunately at this time Microsoft has not provided a way to update the UI reliably/consistently when it’s not up to date, and we do not have another workaround right now. That said, realistically you just need to train your administrators to know that they cannot rely on the status of the OS Windows Update UI when using a third-party update tool like BatchPatch. BatchPatch will still always report the correct status.
I would note that you might be able to use usoclient.exe startinteractivescan to immediately refresh the UI, but the problem with this command is it will also trigger the download and install of any/all updates that are still available (any updates that have not yet actually been downloaded or installed), which is not what you want.
- You must be logged in to reply to this topic.