You need to ensure that all the servers in ProdOU only …

Your network contains an Active Directory domain.
The domain contains two organizational units (OUs) named ProdOU and TestOU.
All production servers are in ProdOU. All test servers are in TestOU. A server named Server1 is in TestOU.
You have a Windows Server Update Services (WSUS) server named WSUS1 that runs Windows Server 2016.
All servers receive updates from WSUS1.
WSUS is configured to approve updates for computers in the Test computer group automatically.
Manual approval is required for updates to the computers in the Production computer group.
You move Server1 to ProdOU, and you discover that updates continue to be approved and installed
automatically on Server1.
You need to ensure that all the servers in ProdOU only receive updates that are approved manually.
What should you do?

Your network contains an Active Directory domain.
The domain contains two organizational units (OUs) named ProdOU and TestOU.
All production servers are in ProdOU. All test servers are in TestOU. A server named Server1 is in TestOU.
You have a Windows Server Update Services (WSUS) server named WSUS1 that runs Windows Server 2016.
All servers receive updates from WSUS1.
WSUS is configured to approve updates for computers in the Test computer group automatically.
Manual approval is required for updates to the computers in the Production computer group.
You move Server1 to ProdOU, and you discover that updates continue to be approved and installed
automatically on Server1.
You need to ensure that all the servers in ProdOU only receive updates that are approved manually.
What should you do?

A.
Turn off auto-restart for updates during active hours by using Group Policy objects (GPOs).

B.
Configure client-side targeting by using Group Policy objects (GPOs).

C.
Create computer groups by using the Update Services console.

D.
Run wuauclt.exe /detectnow on each server after the server is moved to a different OU.

Explanation:
Updates in WSUS are approved against “Computer Group” , not AD OUs.
For this example, to prevent Server1 to install automatically approved updates,
you have to remove Server1 from “Test” computer group and add Server1 into “Production” computer group in
WSUS console, manually or use the WSUS GPO
Client-Side Targeting feature.
https://technet.microsoft.com/en-us/library/cc720450%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396
With client-side targeting, you enable client-computers to add themselves to the computer groups you create in
the WSUS console.
You can enable client-side targeting through Group Policy (in an Active Directory network environment) or by
editing registry entries (in a non-Active Directory
network environment) for the client computers.
When the WSUS client computers connect to the WSUS server, they will add themselves into the
correct computer group.
Client-side targeting is an excellent option if you have many client computers and want to automate the process
of assigning them to computer groups.
First, configure WSUS to allow Client Site Targeting.

Secondly, configure GPO to affect “ProdOU” , so that Server1 add itself to “Production” computer group.
https://prajwaldesai.com/how-to-configure-client-side-targeting-in-wsus



Leave a Reply 0

Your email address will not be published. Required fields are marked *

13 − 11 =