GPO settings without WSUS

BatchPatch Forums Home Forums BatchPatch Support Forum GPO settings without WSUS

Tagged: 

Viewing 2 posts - 1 through 2 (of 2 total)
  • Author
    Posts
  • #14309
    doug
    Moderator

    Our recommended GPO settings for NO WSUS are here:

    recommended-group-policy-settings-for-batchpatch-standalone-usage-with-no-wsus

    Configure Automatic Updates should be set to either 2 or 3, depending on your preference.

    The other settings are all up to you to decide which are best for your particular needs. We generally do not enable any of the other settings that you have mentioned, but whether or not you choose to enable other policies is of course up to you and your requirements and/or preferences.

    The main thing that you seem to be asking about is the Windows Update UI in the OS. Unfortunately usoclient startscan is not supported by Microsoft to guarantee any particular operation, and it does not work consistently/reliably to refresh the UI. From what we have observed, the GPO status does not really matter. usoclient startscan will sometimes perform the refresh but other times will not, regardless of the GPO setting. I think in your case what you observed was that with certain GPO settings the UI is more regularly updated by the OS because those GPO settings were triggering the OS built-in Automatic Updates client to be more active, but of course you also experienced the downside of allowing Automatic Updates to be active, and your machines got updated and rebooted without you initiating it. Unfortunately at this time Microsoft has not provided a way to update the UI reliably/consistently when it’s not up to date, and we do not have another workaround right now. That said, realistically you just need to train your administrators to know that they cannot rely on the status of the OS Windows Update UI when using a third-party update tool like BatchPatch. BatchPatch will still always report the correct status.

    I would note that you might be able to use usoclient.exe startinteractivescan to immediately refresh the UI, but the problem with this command is it will also trigger the download and install of any/all updates that are still available (any updates that have not yet actually been downloaded or installed), which is not what you want.

    #14311
    ddemers
    Participant

    Thanks for the reply I will adjust our GPO setting and try to train other to not worry about what is displayed in the windows update GUI.

Viewing 2 posts - 1 through 2 (of 2 total)
  • You must be logged in to reply to this topic.