When the WSUS isn't available

Hi there,

On our domain we have a WSUS server and a policy setup to "Automatically
download recommended updates for my computer and install them" at a
particular time.

My question is if a person takes their laptop off the domain for 6 months,
will XP detect there is no access to the WSUS server and get the updates from
Microsoft?

Thanks
Quinton

[[ Right pew, wrong church. Forwarded to WSUS newsgroup
(microsoft.public.windows.server.update_services) via crosspost as a
convenience to OP.

On the web:
http://www.microsoft.com/communities... date_services

In your newsreader:
news://msnews.microsoft.com/microsof...pdate_services
]]

Q wrote:
> Hi there,
>
> On our domain we have a WSUS server and a policy setup to "Automatically
> download recommended updates for my computer and install them" at a
> particular time.
>
> My question is if a person takes their laptop off the domain for 6 months,
> will XP detect there is no access to the WSUS server and get the updates
> from Microsoft?
>
> Thanks
> Quinton

> Q wrote:

>> Hi there,
>>
>> On our domain we have a WSUS server and a policy setup to "Automatically
>> download recommended updates for my computer and install them" at a
>> particular time.
>>
>> My question is if a person takes their laptop off the domain for 6
>> months,
>> will XP detect there is no access to the WSUS server and get the updates
>> from Microsoft?

No, it won't.

Harry.

On Fri, 19 Jun 2009 12:24:36 +1200, "Harry Johnston [MVP]"
<harry@scms.waikato.ac.nz> wrote:

>> Q wrote:
>
>>> Hi there,
>>>
>>> On our domain we have a WSUS server and a policy setup to "Automatically
>>> download recommended updates for my computer and install them" at a
>>> particular time.
>>>
>>> My question is if a person takes their laptop off the domain for 6
>>> months,
>>> will XP detect there is no access to the WSUS server and get the updates
>>> from Microsoft?
>
>No, it won't.

But it would be a nice enhancement to the product to be able to configure a
timeout (in days say) after which the client would revert to using WU/MU when
the WSUS server is still not contactable. For example if the WSUS server is not
contactable and the time since the last contact with the WSUS server is greater
than x days then go to WU/MU.

Maybe two timeouts would be even better. The short timeout would trigger a
download from WU/MU of previously approved updates that are simply waiting to
download the content. So if a laptop is connected for say 5 minutes and gets
told to download a lot of updates (SP's etc) but is then removed from the
network after a few days it would get the downloads from WU/MU and install them.
The long timeout would also go the WU/MU but set different approval options such
as 3. Download and Notify instead of 4. Scheduled install.
>
> Harry.
--
Dave Mills
There are 10 types of people, those that understand binary and those that don't.

* PA Bear, thanks for the move. This is only my 2nd time here, so I'm a bit
lost on where to post...
* Harry, thanks for the info!

Hey Dave, I've been given the task of coming up with a way to fix this issue
of laptops not getting updates when the professors go away for months at a
time.

I've basically created a start up script that detects if the IP address is
from our network or not.
If the laptop is not on the network then I delete 3 reg values.

reg delete
"HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Wi ndows\WindowsUpdate" /V
WUServer /f
reg delete
"HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Wi ndows\WindowsUpdate" /v
WUStatusServer /f
reg delete
"HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Wi ndows\WindowsUpdate\AU" /V
UseWUServer /f

When the laptop comes back on the domain it will get a gpupdate and the
laptop will receive the policy for WSUS.

It's still in the testing phase, but here is the script.


IPCONFIG > %temp%\TEMPIP.txt
findstr XXX.XXX %temp%\tempip.txt
IF errorlevel 1 GOTO :AWAY

ECHO On site!
GOTO :END

:AWAY
echo Off site
reg delete
"HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Wi ndows\WindowsUpdate" /V
WUServer /f
reg delete
"HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Wi ndows\WindowsUpdate" /v
WUStatusServer /f
reg delete
"HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Wi ndows\WindowsUpdate\AU" /V
UseWUServer /f

:END


I welcome any input anyone may have. I'm a beginner at scripting.

Thanks
Quinton

"Dave Mills" <News1@nospam--djmills-dot-co.uk> wrote in message
news:ag5m355ivnlin90cinfo666hn8sfdhk64n@4ax.com...

>>> My question is if a person takes their laptop off the domain for 6
>>> months,
>>> will XP detect there is no access to the WSUS server and get the updates
>>> from Microsoft?

>>No, it won't.

> But it would be a nice enhancement to the product to be able to configure
> a
> timeout (in days say) after which the client would revert to using WU/MU
> when
> the WSUS server is still not contactable.

This is easily implemented. Create a scheduled task to run every 'x' days
that resets the registry value UseWUServer to dword:0x0. If group policy is
not being refreshed (as a result of a non-existent network/domain
connection), then the registry setting will remain in force, and the system
will revert to using Automatic Updates until the next group policy refresh
reverts that value to true, resetting the connection to the WSUS Server.

Or, perhaps the inverse is a better solution. Don't use group policy to
configure highly-mobile notebooks at all. Use a locally-stored startup
script that populates the registry conditionally based on whether the
machine is connected to the domain (a simple ping/response to the DC can
establish that). If not connected, set UseWUServer=dword:0x0 (Automatic
Updates), if it is connected, set UseWUServer=dword:0x1 (WSUS).

> So if a laptop is connected for say 5 minutes and gets
> told to download a lot of updates (SP's etc) but is then removed from the
> network after a few days it would get the downloads from WU/MU and install
> them.

The "best practice" for notebooks with a high probability of disconnects
from the corporate network is to configure a second WSUS Server with no
content store, thus forcing the notebook(s) to always obtain content from
microsoft.com.


--
Lawrence Garvin, M.S., MCITP:EA, MCDBA
Principal/CTO, Onsite Technology Solutions, Houston, Texas
Microsoft MVP - Software Distribution (2005-2009)

MS WSUS Website: http://www.microsoft.com/wsus
My Websites: http://www.onsitechsolutions.com;
http://wsusinfo.onsitechsolutions.com
My MVP Profile: http://mvp.support.microsoft.com/pro...awrence.Garvin

"Q" <Q@discussions.microsoft.com> wrote in message
news:E562BB60-77B9-43E2-8CC9-5F94D3B5175C@microsoft.com...
>* PA Bear, thanks for the move. This is only my 2nd time here, so I'm a bit
> lost on where to post...
> * Harry, thanks for the info!
>
> Hey Dave, I've been given the task of coming up with a way to fix this
> issue
> of laptops not getting updates when the professors go away for months at a
> time.
>
> I've basically created a start up script that detects if the IP address is
> from our network or not.
> If the laptop is not on the network then I delete 3 reg values.

The concept is valid....

> reg delete
> "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Wi ndows\WindowsUpdate" /V
> WUServer /f
> reg delete
> "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Wi ndows\WindowsUpdate" /v
> WUStatusServer /f
> reg delete
> "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Wi ndows\WindowsUpdate\AU"
> /V
> UseWUServer /f

But the execution is flawed.

The *correct* response in this code block should be merely to CHANGE the
value of UseWUServer to FALSE, thus "turning off" the use of WSUS. When
UseWUServer=dword:0x0, the values WUServer and WUStatusServer will be
ignored. Restoring use of WSUS is as simple as setting this value back to
true (dword:0x1).


> When the laptop comes back on the domain it will get a gpupdate and the
> laptop will receive the policy for WSUS.

Or, using Group Policy to reset the registry. :-)


--
Lawrence Garvin, M.S., MCITP:EA, MCDBA
Principal/CTO, Onsite Technology Solutions, Houston, Texas
Microsoft MVP - Software Distribution (2005-2009)

MS WSUS Website: http://www.microsoft.com/wsus
My Websites: http://www.onsitechsolutions.com;
http://wsusinfo.onsitechsolutions.com
My MVP Profile: http://mvp.support.microsoft.com/pro...awrence.Garvin

Lawrence Garvin [MVP] wrote:

> This is easily implemented. Create a scheduled task to run every 'x'
> days that resets the registry value UseWUServer to dword:0x0. If group
> policy is not being refreshed (as a result of a non-existent
> network/domain connection), then the registry setting will remain in
> force, [...]

I'm not certain of this - group policy does get cached locally under some
circumstances, although I'm not sure of the details.

Harry.

On Sun, 21 Jun 2009 11:53:37 +1200, "Harry Johnston [MVP]"
<harry@scms.waikato.ac.nz> wrote:

>Lawrence Garvin [MVP] wrote:
>
>> This is easily implemented. Create a scheduled task to run every 'x'
>> days that resets the registry value UseWUServer to dword:0x0. If group
>> policy is not being refreshed (as a result of a non-existent
>> network/domain connection), then the registry setting will remain in
>> force, [...]
>
>I'm not certain of this - group policy does get cached locally under some
>circumstances, although I'm not sure of the details.
>
I would also expect that you would need to set the GPO to be applied even if not
changed. This would cause additional processing on every refresh. Without this
it would be easy to think the registry setting can be changed, some testing
would be necessary. I use this technique for setting the Proxy IP in IE and even
though the GPO is enforced if the registry is change it is not enforced until
back on the network. What the WSUS GPO wo9uld do would need to be determined by
testing.

Still not as neat as a WSUS configuration option though. I hate "smart" setups
as I assume they the ones most likely to change behaviour unexpectedly in a
future system implementation.

> Harry.
--
Dave Mills
There are 10 types of people, those that understand binary and those that don't.

Thanks so much for your responses!

I've got it working (in a test environment) now, but it looks like I can
tweak some things as well.

Thanks again!
Quinton