Group Policy Central

Windows Server Update Service (a.k.a. WSUS) is Microsoft free tool they provide for deploying patches and updates. In my experience this tool is pretty much used by every organisation in the world that has more than a hand full of computers. WSUS is also a requirement for the Software Update option in SCCM 2007.

What I hope this post will teach you is how to use Group Policy in your environment to milk the absolute most out of your existing WSUS infrastructure. I am also going to assume that you are familiar with WSUS and already have it deployed in your organisation…

Is WSUS the right tool for your organisation?

Having implement WSUS for an environment of over a combination of 10,000 servers and workstations I can truly say that this tool scales really well. I also believe that even if you have bought and implemented System Center Configuration Manager in your environment then you are probably still better off using WSUS for manage you updates for your Microsoft software. The reason why I still normally recommend that people using WSUS over SCCM is that the product overall is much easier to use and its just human nature for people to want to do the easier tool where possible…

However there are a couple of reason why I think SCCM should still be used over WSUS and they are:

1. You require to wake computers using WOL for them to be patched out of hours. (However there is a way to do something similar using Group Policy).
2. You want to ensure that computers are only patched during a “Maintenance Window” (however even this can be done using Group Policy) and that these patches do not install if it will take longer than that window.
3. The SCCM Software Update supports third party updates when used in conjunction with System Center Updates Publisher 2011. This is very handy if you want to deploy third-party updates from HP, Dell or Adobe (yes! Flash and Reader). But unfortunately even though SCCM SU feature is built on WSUS there is no way to import these third-party updates directly into a standalone WSUS server.

WSUS Tip’s and Tricks

Below are a collecting of configuration recommendations and tips that help you get the most our of your WSUS infrastructure in your environment. These are in no particular order of importance and you might chose to implement only some of these setting depending on your environment.

Terminology: In this post i will use the term “client” many times. When I make this reference note that I am talking about any client of the WSUS Server, which could mean a “client” is either a server or workstation.

WSUS Computer Group Assignment

One of the first things you should do once you have installed WSUS and performed the first sync is enabled the Group Policy computer group assignment. This allows the clients that connect to your WSUS server to be automatically configured in the correct targeting group when they connect to the WSUS server. The target group on the client is controlled using the “Enable client-side target” group policy setting (more on this later).

If you don’t enable this option you will quickly find that you need to manually categorise even new computer that reports into the WSUS server. This is fine if you only have few computers but once you star managing many hundreds or thousands of computers this quickly becomes impractical.

DNS Alias for WSUS Server

One of the options you can set using Group Policy is called “Specify intranet Microsoft update service location” which allows you to specify the WSUS Server name. Even thought this setting can be controlled via Group Policy and thus can be changed in about 2 hours, I still strongly recommend that you create a DNS Alias. Creating a DNS alias for your WSUS Server will give you another way to easily migrate your clients to a new WSUS server without the need to keep a legacy alias of your old server name after you move to a new WSUS server.

Continue reading ‘Best Practice: Group Policy for WSUS’ »

There has been a lot of talk in the news recently around how Mozilla have changed support gears are are now releasing a new browser version every few month. The affect of this is that a lot of enterprise customers (such as IBM) using Firefox aren’t even finished testing before the next version is released. While corporate customers using Firefox 3.6  are still supported, it would seem that this may not be for long due to the “cost benefit trade” for Mozilla to play in the Enterprise.

This has of course prompted Microsoft to starting pushing IE to the corporate customers say “’We’ve got a great solution for corporate customers with both IE8 and IE9”

So to illustrate this I have graphed the number of days that Microsoft supports Internet Explorer compared to Mozilla’s Firefox 4.

Note: I assume that IE9 will not have extended support lifecycle as it was NOT released as part of Windows 7.

Certainly having to support IE6 for over 9 years is a major commitment for Microsoft especially when there are so many security issues… But even while Microsoft encourages users to stop using IE6 http://www.theie6countdown.com/ they continue to support IE6 as promised for the long haul and are certainly not going to be “forcing” anyone to upgrade any time soon. For this reason, plus Internet Explorers excellent out of the box group policy support (for third party see Policy Pak), is why I think IE is  hands down best browser for any corporate environment….

Microsoft have just released another two a few more Group Policy related hotfixes’. Below is the description of each issue that it resolves and link to the related KB Article.

GetGPOList function does not return all GPOs in Windows 7 or in Windows Server 2008 R2

Consider the following scenario:

• You have a computer that is running Windows 7 or Windows Server 2008 R2.
• You use the LocalSystem account to run a service on the computer.
• The service calls the GetGPOList function to query all Group Policy objects (GPO) that are applied on a computer.
• The Authenticated Users group is removed from the access control list (ACL) in an applied GPO.

In this scenario, the GetGPOList function does not return all applied GPOs. The function returns only GPOs that have the Authenticated Usersgroup in the ACL of the GPO.

When you use a GPO for application deployment in Windows 7 or in Windows Server 2008 R2, the deployment fails

In an Active Directory Domain Services (AD DS) environment, you cannot use a Group Policy Object (GPO) to deploy applications for installation on client computers that are running Windows 7 or Windows Server 2008 R2. When you try to apply the GPO, you receive an error message that resembles the following:

• Windows failed to apply the Software Installation settings

Group Policy logon scripts do not run in Windows 7 or in Windows Server 2008 R2

Consider the following scenario in an Active Directory domain environment:

• You deploy logon scripts by using Group Policy.
• You set logon scripts to run synchronously.
• You try to log on to a client computer that is running Windows 7 or Windows Server 2008 R2.

In this scenario, the logon scripts do not run before the logon process.

A user who has administrator permission can delete printers on a computer that is running Windows 7 or Windows Server 2008 R2 after you deploy the "Prevent deletion of printers" Group Policy

Consider the following scenario:

• You deploy the Prevent deletion of printers Group Policy in your environment.
• You have a client computer that is running Windows 7 or Windows Server 2008 R2.
• A user who has administrator permission logs on to the client computer.

In this scenario, the user can still delete printers in Devices and Printers unexpectedly.

If you are looking at moving to Windows 7 or you are looking upgrading IE6 in your organisation you have probably discovered that a lot of your intranet web sites don’t work properly. Well apparently  80% of IE app compatibility issues are cause by website that do not have the <!DOCTYPE> header as the with IE8 (See below).

This problem is due to a bug in  IE6 that it ignores the <!DOCTYPE> if it is not on the first row and then default back to rendering the page in Quirks mode. The problem is that newer browsers do read this <!DOCTYPE> tag if it is not on the first line and it then starts to renders the page in standards mode as requested. So to address this issue Microsoft have released a hotfix for IE8 and include in IE9 a feature that lets you force pages to render in Quicks Mode thus ignoring the <!DOCTYPE> line.

A webpage is not displayed correctly in Internet Explorer when any of the following is true:

• You use Windows Internet Explorer 8 Standards mode to browse the webpage.
• You enable Compatibility View in Internet Explorer 7 to browse the webpage.

Additionally, if you do not have the permissions to implement the Meta tag or the HTTP header for browser emulation, you cannot force the browser to work in QUIRKS mode from the client-side.

Microsoft KB A webpage is not displayed correctly when you browse the webpage by using Internet Explorer 8 Standards mode or Compatibility View in Internet Explorer 7

Once you have the hotfix deployed or you have installed IE9 on your computers you can then use the policy  “Use Policy List of Quirks Mode sites” under Software\Policies\Microsoft\Internet Explorer\BrowserEmulation\QuirksPolicyList to add specific sites to render as quirks mode.

This will now force your browser to render the page using IE5.5 (a.k.a. Quirks) mode so that the page now renders correctly.

TIP: If you are still having issues with your Intranet pages not working correctly one of the other big compatibility fixes you can try is to make sure that the page is properly placed in the “Intranet Zone”. For instructions on how to do this see my other post How to use Group Policy to configure Internet Explorer security zone sites .

Thanks to Chris Jackson “The App Compat Guy” for his TechEd 2011 video that had the details for me to write this article at  http://channel9.msdn.com/Events/TechEd/NorthAmerica/2011/WCL315

Speaker: Darren Mar-Elia

Source: http://channel9.msdn.com/Events/TechEd/NorthAmerica/2011/WCL309