Jump to content


  • Content Count

  • Joined

  • Last visited

Everything posted by Michel-B

  1. The situation here is like this: - 2 sites, connected by a VPN over WAN link - Different groups in KSC seperating servers and clients, also subgroups in both - Clients and servers from both sites are mixed in the same groups (so a client in the group 'Managed Computers > Clients > Laptops' can be both on site #1 and site #2) - Site #1 has the Administration Server installed I want all clients on Site #1 to retrieve their updates from the Administration Server. For Site #2 I want them to connect to a Update Agent on that location. So I figured I'd add assign that server on Site #2 as Update Agent in the group's properties. Question #1: Do I also have to assign the Administration Server to the Update Agent to prevent clients on Site #1 from connection to the Update Agent on Site #2? Question #2: How do clients detect to which server they have to connect to? Because clients on #2 could potentially connect to the Administration Server on Site #1. I want to prevent that. Question #3: Do I have to assign Update Agents to every subgroup as well? Or is assigning them to a parent group sufficient? KSC version 10.2.434 Network Agents version 10.2.434 Patch D
  2. But that only works for executables in the root of the 'C:\Program Files' and 'C:\Program Files (x86)' folders. This doesn't work for subfolders unless I add them all manually. For example: 'C:\Program Files\VideoLAN\VLC\vlc.exe' EDIT: Nevermind, I stand corrected. It does in fact work on subfolders, for some reason I failed to see this. Thanks for the solution! :ay:
  3. I can only say 10.2.434 (both patch A and D) have been running for a couple of months without any problems on a 2012R2 server here. Don't know about 10.1.249.
  4. Call me stupid, but I don't see how/where. Just for the record, I want to select a folder including all subfolders.
  5. I was wondering if it's possible, like in Microsoft's AppLocker, to specify a location in the Application Startup Control where executables are allowed to run. So basically, I specify 'C:\Program Files' and 'C:\Program Files (x86)' to allow starting of every executable in there, including subfolders. Mind you, I don't want to use a reference folder to import executables from, I just want executables in the folders on every client the policy applies to allow the startup of those. KSC 10.2.434 KES 10 SP1 MR2 Why? Simple. Users cannot write to their Program Files folder, so everything in there is safe to start.
  6. Thanks, that's very helpful as I wasn't aware of this feature. I'll look into this. I though I set it up the right way, but the klnagchk tool didn't give me definitive answer. I noticed the connection profiles and played around with it a bit. But from my understanding you can only specify an Administration Server here, not an Update Agent, correct?
  7. So I have 2 groups in the admin center: Site1 and Site2. On both groups, update agents are assigned manually and these seems to function properly. When a user picks up his laptop and travels from Site1 to Site2 it, obviously, still remains in group 1. Therefor it will also still receive updates from the update agents assigned to Site1. This is the main problem. Can I dynamically assign update agents based on location? Kinda like the connection profiles for the admin center. I can tell to connect to a specific admin server based on subnet for example, but I can't do that for update agents, can I?
  8. I was wondering what the best practice is to setup policies and update tasks for a situation where users roam a lot between 2 sites of 1 company. There's a WAN link with a VPN in between where we would like to keep the load off. Site 1 has the Administration Server that distributes policies and updates (including WSUS). Site 2 only has 1 or 2 Update Agents. There's a group for each site, so updates or site 2 are being distributed through the Update Agents assigned to that group instead of all clients in site 2 connecting to the server at site 1. Say a users travels from site 1 to 2. It'll still get it's updates from site 1. The same for users going from 2 to 1. One or two users isn't that much of a problem, but we have dozens traveling each day and we've noticed that, when a bunch of Windows Updates are released, the WAN link gets overloaded. How do you approach this?
  9. Requesting Application Startup Control to be made available on Windows Server editions. We're using Application Startup Control on all workstations and have setup all whole load of policies, but can't use this on our terminal servers. I don't see why this shouldn't be possible since, if properly configured, there's no real difference in impact between a Windows client or Server. Especially for terminal servers this would be great so you don't end up with 2 completely different systems and rule set (KES Application Startup Control vs Windows AppLocker).
  10. Thanks for your reponse. I really hope there are plans to implement this at some point, because it's really annoying to still have to use AppLocker policies alongside our KES Appication Startup Control policies. I don't see how Application Startup Control really interferes with servers any different from the way it does on workstations. Can you eloborate?
  11. We're using Win2008 R2 servers for our RDS farm and manage the startup of applications with AppLocker. Since I use Application Startup Control on my clients I'd like to do this for my RDS servers as well. Why is this not possible?
  • Create New...

Important Information

We use cookies to make your experience of our websites better. By using and further navigating this website you accept this. Detailed information about the use of cookies on this website is available by clicking on more information.