Home > AD, GPO > Working WMI Filters for GPO–Blocking WSUS reboots

Working WMI Filters for GPO–Blocking WSUS reboots

So I’ve been having an issue lately, where my GPO’s were not doing what I’d hoped for my WSUS reboots – namely, they were NOT blocking the setting from my Windows based SAN systems.  Because I name my systems consistently, as NW-SAN# (yes, I’m so creative), it should have been quick and easy – set a WMI filter, apply the WSUS – NO REBOOT GPO and walk away.   If only I hadn’t missed two easy gotcha’s – but at least I have now.

1) Create yourself a “NO WSUS REBOOT” GPO or similar – and ensure that you set the Computer Policies –> Polies –> Administrative Templates –> Windows Components –> Windows Update –> Configure Automatic Updates –> Configure Automatic Updating to something other than “4” which is “Download and install automatically”.   Also, you want to set the GPO to ENFORCED=YES
image

2) Create a WMI Filter, excluding the system(s).  You want the NAMESPACE = root\CIMv2 and QUERY=”SELECT * FROM Win32_ComputerSystem WHERE Name=’NW-SAN*’”
image

3) Even though you have a WMI filter, you still need to remember to LINK the GPO somewhere – to the root of the domain, to your Servers OU, etc.

4) Then run through your Group Policy Modeling, and select any user/container for the User and your specific Computer object to test it out.  You should see the results show you which GPO won, and you should see where the WSUS – NO REBOOT GPO won.
imageimage

What can I say – I do a lot of this at home at night.  I should have caught it earlier!  You can see how this would now let me have it work on NW-SAN2, NW-SAN3, etc.  If you follow a good naming convention, you would easily be able to say “exclude NW-EXCH*” or similar.  Using WMI filters is a good way to do dynamic group membership, without needing to mess with a group.  An alternative might be able to look for the presence of software (ie: StarWind) or OS version (ie: Windows Storage Server), etc.

Advertisements
Categories: AD, GPO
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: