Active Directory/Service Groups/WSUS/Target Groups

From WolfTech
Jump to navigation Jump to search

Beginning in April 2009, the Central WSUS Service began using a new tagging convention for its WSUS target groups: Early, Normal, Late.

The intention of these naming groups is to allow the WSUS Administrators to approve patches at specific time intervals to select groups of machines that the OU Administrators will subscribe their computers to. The timelines and approval processes are well known to all involved, and will allow for a flexibility not available in previous WSUS servers.

Naming conventions remain in place -- an OU Administrator is still expected to place his computers into a target group starting with the name of his OU, but the addition of the tag is now also required. For example, within the ECE department, it would be expected to find "ECE-Normal" or "ECE-Early" as potential groups. Should a group be created without a timing tag, it is presumed to be "Normal" and will be approved as such. Groups wishing to include additional information in their target group are not barred from doing so ("ECE-Teaching Labs-Early"), but these most still contain both the OU name and the timing tag.

This setting is currently set in most <OU>-OU Policy GPO's in Wolftech. The specific path to edit the setting is:

  Computer Configuration/Administrative Templates/Windows Components/Windows Update/Enable client-side targeting

Early

Computers in groups with the "Early" tag will receive patches immediately. Once the WSUS admins see the patch is available, they push it to the “Early” groups.

OU Admins with "Early" groups are expected to join the activedirectory-patches@lists.ncsu.edu mailing list. Every patch the WSUS server downloads is sent to this list. Please note that you will likely receive hourly emails from this list -- you'll see not just security patches, but also definition updates which are automatically approved. However, this list will also be the only forewarning you will receive of patches that might cause your computer to reboot at night.

It is recommended that you limit the number of workstations you place in an "Early" group -- perhaps only join those workstations (likely the desktops of your IT folks) which you wish to test patches on ahead of time. Any patches which cause issues should be brought to the attention of the WSUS Administrators, or announced on the Active Directory mailing list.

Notification: A notification to Sysnews will not be made.

Normal

Computers within "Normal" target groups will receive patches on the Thursday morning following Patch Tuesday. WSUS Administrators are expected to approve patches for these computers between 8am and 9:30am that morning. The "Personal" group used for personal or home machines will also be part of this group.

Notification: A notification to Sysnews will be made once they have done so.

Late

Patches for this group will release the Tuesday following Patch Tuesday (3rd Tues of the Month). Once again, WSUS Administrators are expected to approve patches for these computers between 8am and 9:30am that morning.

Notification: A notification will be sent to the Active Directory mailing list to remind OU Admins of the patch release. A notification to Sysnews will not be made.