Small Business Susan

Getting WSUS to not look at Vista boxes

Once upon a time, in a kingdom near you, there was a Server.  A king.  And the King Server liked to rule the land.  But one day a new person came into the kingdom and needed a bit of independence.  The King looked around and decided that the new person was right, that for the time being having a bit of independence in the kingdom, a bit of liberty would allow the new inhabitant to settle in a bit better and get acquainted with the surroundings of the Kingdom.  So the order went out from the King to allow a bit of freedom to the new inhabitant…. and so begins our story ….


Okay so since you and I don’t live in a fairy tale, nor Disneyland, even though my Sister comes real close with her new Vista box with the Disney Screensaver…..our goal here this afternoon is to get our WSUS 2.0 to “not” apply the group policy to Vista machines because until WSUS 3.0 comes out we want them to go directly to Microsoft update and get patches… yes I know that having them get patches directly isn’t the best managed way to do this… but by golly since our Vista boxes are typically owned by the owner of the firm and us geeks anyway..we want that Poker game we’ve heard about… okay so maybe that Bitlocker thingy too.. but let’s see if we can get the Vista’s excluded from our WSUS group policy shall we?


Now in this test network we are 100% borg.  All XP and 2003.  And it’s a nice place to be as it gives you a consistent interface and patching experience… it also gives you a consistent WMI filter.  A WMI filter allows you to fine tune group policy and are supported on XP and 2k3.  If you’ve installed your Ripcurl patches you will note that you have a new WMI filter down there on your SBS box….go into the group policy management console and you’ll see



Now Vista is Version 6…and the WMI purists will say that the query should be =6.0 but it’s designed to catch builds after Vista… and it controls the group policy firewall on SBS networks.  SeanDaniel.com blogged about how will be using Vista boxed to build our group policy, but for what we’re doing where we want to limit our WSUS to just our XP and non Vista boxes we can do this easily enough on the server.  Yes it’s not best practice to be doing policies straight on the server but we’ll back it up ahead of time and all that. And since our goal here is to add an easily adjustable, deletable filter to our already existing policies, we’re not going to hurt anything.  So here goes.  Let’s see what filters the SBS folks in the Emerald City of Redmond (or these days white and snowy and rainy) have already built for us to give us an idea of what we can easily do….



You’ll notice there’s one to make the Internet firewall not apply to pre SP2 XP machines… again see that Select* going on?



And in fact we already have a XP sp2 filter on the box…. see that?


So we know that Select * from Win32_OperatingSystem where version =  “5.1.2600″ is Windows XP …and we can put such things as ServicePackMajorVersion and have it filter on that as well.  We know from running WinVer on the server that it’s value is 5.2.3790.  Now the purests would probably kill me for writing a query for <=5.2 as technically speaking the OS verson value is not a number but a string value. So we’re going to do a value that includes an or….



And we’re going to call the policy XP and 2003 like this:



Okay so now we need to link it to something that will make the Patching policy only impact the XP and 2003 boxes…and based on the fact that the Group policy that is called:



Is the one that makes the computers and servers point to WSUS for their settings, this is the one we want to make the filter enabled on.  So we go to that specific group policy and down at the bottom where is says filter of “none” we change it to our filter of “Windows 2003 and XP”


And of course to “kick it” at a command prompt we type in gpupdate /force


Now then for good measure we go to the client computer policy



And we find down in the bottom section our Vista machine and we’ll manually remove it from the policy and make sure that it doesn’t get automatically added back in.



Now when we go to our Vista box…we’ll find that we’re not longer controlled by the server to get our patches and indeed can get to the Ultimate extras now:


   


And when we go back to our XP boxes we’ll find that they are still controlled by the server.



Thus all living happily ever after… (or until WSUS 3.0 RTMs at which point in time I’ll take that WMI filter back out and let the Vista boxes point back to the WSUS server for their patches. 


But for now our story ends with the King and all the inhabitants of the kingdom being very happy and learning to live with and like one another a lot better.