jjhs Absent Member.
Absent Member.
3358 views

WSUS Policy not applying

Hello

I have created a wsus policy, but when ever i log in to my workstation with a local user, the policy is not applied unless i make a 'gpupdate /force' in cmd. I have read in multiple other threads online, that the policies may not apply due to the missing authentication from the local workstation user. To clarify; the policy is 'Available' in the Zenworks agent, but the information is not "confirmed" in regedit.

I looked through this forum for any solutions regarding my problem, and I have only encountered one possible solution which was creating a registry key, that applies policies at device-startup. However, this is not working unfortunately.

The workstations that have this policy, are all meant to be used by local users. It should also be possible to run windows updates without having to login as a user.

Thanks in advance.

Jonas.
Labels (2)
0 Likes
10 Replies
Knowledge Partner
Knowledge Partner

Re: WSUS Policy not applying

jjhs;2345311 wrote:
Hello

I have created a wsus policy, but when ever i log in to my workstation with a local user, the policy is not applied unless i make a 'gpupdate /force' in cmd. I have read in multiple other threads online, that the policies may not apply due to the missing authentication from the local workstation user. To clarify; the policy is 'Available' in the Zenworks agent, but the information is not "confirmed" in regedit.

I looked through this forum for any solutions regarding my problem, and I have only encountered one possible solution which was creating a registry key, that applies policies at device-startup. However, this is not working unfortunately.

The workstations that have this policy, are all meant to be used by local users. It should also be possible to run windows updates without having to login as a user.

Thanks in advance.

Jonas.


Instead of doing it through policy you could send out the WSUS settings with a registry action bundle, see here for details: http://www.novell.com/support/kb/doc.php?id=7009252

Thomas
0 Likes
jjhs Absent Member.
Absent Member.

Re: WSUS Policy not applying

I tried removing my wsus policy and adding a regkey instead. Now it seems that only the 'AU' key is configured, but not the main 'WindowsUpdate' key. I can verify that the .reg file im using, has the right information for both keys.

How can this be?
0 Likes
Knowledge Partner
Knowledge Partner

Re: WSUS Policy not applying

jjhs;2345320 wrote:
I tried removing my wsus policy and adding a regkey instead. Now it seems that only the 'AU' key is configured, but not the main 'WindowsUpdate' key. I can verify that the .reg file im using, has the right information for both keys.

How can this be?


That sound really strange, can you post the reg file.

Thomas
0 Likes
jjhs Absent Member.
Absent Member.

Re: WSUS Policy not applying

This is the .reg file im using with the bundle:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]
"TargetGroupEnabled"=dword:00000001
"TargetGroup"="UVPC"
"AcceptTrustedPublisherCerts"=dword:00000001
"WUServer"="[SERVER-NAME]"
"WUStatusServer"="[SERVER-NAME]"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU]
"AutoInstallMinorUpdates"=dword:00000001
"IncludeRecommendedUpdates"=dword:00000001
"RescheduleWaitTimeEnabled"=dword:00000001
"RescheduleWaitTime"=dword:00000001
"NoAutoRebootWithLoggedOnUsers"=dword:00000001
"RebootRelaunchTimeoutEnabled"=dword:00000001
"RebootRelaunchTimeout"=dword:0000001e
"AUPowerManagement"=dword:00000001
"UseWUServer"=dword:00000001
"DetectionFrequencyEnabled"=dword:00000001
"DetectionFrequency"=dword:0000000c
"NoAutoUpdate"=dword:00000000
"AUOptions"=dword:00000004
"ScheduledInstallDay"=dword:00000000
"ScheduledInstallTime"=dword:00000002
"NoAUShutdownOption"=dword:00000001
"RebootWarningTimeoutEnabled"=dword:00000001
"RebootWarningTimeout"=dword:0000001e

I tried verifying the regkey in 'Zenworks application window' and that updated the information in regedit, but thats not really a reliable solution 😉

EDIT: Could other settings in windows be a show-stopper for these settings? I have a couple of workstations (out of about 35 workstations) that accept the former policy without any issues, and they are running fine with the wsus server.
0 Likes
Knowledge Partner
Knowledge Partner

Re: WSUS Policy not applying

jjhs;2345339 wrote:
This is the .reg file im using with the bundle:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]
"TargetGroupEnabled"=dword:00000001
"TargetGroup"="UVPC"
"AcceptTrustedPublisherCerts"=dword:00000001
"WUServer"="[SERVER-NAME]"
"WUStatusServer"="[SERVER-NAME]"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU]
"AutoInstallMinorUpdates"=dword:00000001
"IncludeRecommendedUpdates"=dword:00000001
"RescheduleWaitTimeEnabled"=dword:00000001
"RescheduleWaitTime"=dword:00000001
"NoAutoRebootWithLoggedOnUsers"=dword:00000001
"RebootRelaunchTimeoutEnabled"=dword:00000001
"RebootRelaunchTimeout"=dword:0000001e
"AUPowerManagement"=dword:00000001
"UseWUServer"=dword:00000001
"DetectionFrequencyEnabled"=dword:00000001
"DetectionFrequency"=dword:0000000c
"NoAutoUpdate"=dword:00000000
"AUOptions"=dword:00000004
"ScheduledInstallDay"=dword:00000000
"ScheduledInstallTime"=dword:00000002
"NoAUShutdownOption"=dword:00000001
"RebootWarningTimeoutEnabled"=dword:00000001
"RebootWarningTimeout"=dword:0000001e

I tried verifying the regkey in 'Zenworks application window' and that updated the information in regedit, but thats not really a reliable solution 😉


Okay so maybe it was a simple "version mismatch", the workstation didn't know there was a new version of the bundle when you tried it first....

Do you have the reg edit action under "install tab" or "launch tab", if you have it under the install tab then it defaults to install once per device, which should be fine in this case.. But you could also set the action under launch tab for example and set the relationship to launch on boot, then it will make the registry change everytime the workstation is booted.

It would also be nice to know which version the zenworks agent is on the workstation, since there have been some bugs in some versions that fail to distribute bundles during login for example...

Thomas
0 Likes
jjhs Absent Member.
Absent Member.

Re: WSUS Policy not applying

The workstations are running the zenworks agent version 11.3.1.41750

I can give it a try but the problem is, as i mentionened in an earlier post, that not the entire .reg file is added. It was only the AU key that got the information, not the "root" WindowsUpdate.
Maybe i should try adding the former policy to the launch tab, hoping this would force the policy to be added every time the device is booted. Would this give the same outcome as if i ran 'gpupdate /force' in cmd?

EDIT: okay i guess i was a little too fast on that one. Its apparently not possible to make policies run everytime the device is booted?
0 Likes
jjhs Absent Member.
Absent Member.

Re: WSUS Policy not applying

It seems to be working with the regkey now. I configured the regkey in the 'Launch'-tab to apply everytime a user is logging in. All my workstations are now getting the correct information (and all of it) about our wsus-server.

Now I just hope that the workstations will keep their information, even when a user is not logged in, or else it will be quite problematic to update windows without having to log in. Is this something you can comment on thsundel?
0 Likes
Knowledge Partner
Knowledge Partner

Re: WSUS Policy not applying

jjhs;2345435 wrote:
It seems to be working with the regkey now. I configured the regkey in the 'Launch'-tab to apply everytime a user is logging in. All my workstations are now getting the correct information (and all of it) about our wsus-server.

Now I just hope that the workstations will keep their information, even when a user is not logged in, or else it will be quite problematic to update windows without having to log in. Is this something you can comment on thsundel?


Yes, that registry change will stay there even if no one is logged on.

Thomas
0 Likes
Knowledge Partner
Knowledge Partner

Re: WSUS Policy not applying

jjhs;2345433 wrote:
The workstations are running the zenworks agent version 11.3.1.41750

I can give it a try but the problem is, as i mentionened in an earlier post, that not the entire .reg file is added. It was only the AU key that got the information, not the "root" WindowsUpdate.
Maybe i should try adding the former policy to the launch tab, hoping this would force the policy to be added every time the device is booted. Would this give the same outcome as if i ran 'gpupdate /force' in cmd?

EDIT: okay i guess i was a little too fast on that one. Its apparently not possible to make policies run everytime the device is booted?


As it said in the TID, you get unexpected results if you do it through WGPO policy.. And the recommended way is to do it through a bundle with registry edit action, so I would try to get that working and not waste time on GPO.

11.3.1.x have some bugs that fails to launch bundles on specific schedules, like user login etc.. So I would recommend updating to 11.3.2.

Thomas
0 Likes
jjhs Absent Member.
Absent Member.

Re: WSUS Policy not applying

I will make sure my zenworks administrator gets the notice about failing bundles, and then we'll see if we can get it updated anytime soon.

However, everything seems to be working now, theres just a single workstation that is acting up but i dont think that is zenworks-related 😉

Thank you very much for your help. I really appreciate it 🙂
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.