WSUS Group Policy Settings to Deploy Updates

In one of many earlier articles we’ve described the set up of a WSUS server on Windows Server 2012 R2 / 2016 intimately. After you’ve configured the replace server, you want to configure Windows purchasers (server and workstations) to use the WSUS server to obtain updates. Thus, all Windows purchasers in your community ought to obtain updates from the interior replace server, and never from Microsoft Update servers by way of the Internet. In this text, we’ll have a look at how to configure purchasers to use a WSUS server utilizing Active Directory area group insurance policies (GPO).

AD Group Policies permit the administrator to robotically assign computer systems to completely different WSUS teams, thus the WSUS administrator gained’t have to manually transfer computer systems between teams within the WSUS console and preserve these teams up-to-date. Assigning purchasers to completely different goal WSUS teams is predicated on a label within the registry on the shopper (labels are set by a GPO or a direct registry modification). This sort of shopper assigning to the WSUS teams known as shopper aspect focusing on.

It is predicted that our community will use two completely different replace insurance policies: separate replace coverage for Servers and one other one for Workstations. These two teams want to be created within the WSUS console within the All Computers part.

Tip. The coverage of utilizing the WSUS server by purchasers relies upon largely on the organizational construction of the Active Directory group models (OU) and replace set up guidelines within the firm. In this text we’ll attempt to perceive the essential rules of utilizing group insurance policies to set up Windows updates.

First of all, you’ve to specify the rule of grouping the computer systems within the WSUS console (focusing on). By default, the computer systems within the WSUS console are distributed into teams manually by the server administrator (server-side focusing on). It doesn’t go well with us, so we specify that the computer systems are to be distributed into teams utilizing the shopper aspect focusing on (utilizing the group insurance policies or registry parameters). To do that, within the WSUS console click on Options and open Computers. Change the worth to “Use Group Policy or registry settings on computer systems”.

wsus gpo client side targeting

Now you’ll be able to create a GPO to configure WSUS purchasers. Open the Group Policy Management (GPMC.msc) and create two new group insurance policies: ServerWSUSPolicy and WorkstationWSUSPolicy.

WSUS Group Policy for Windows servers

Let’s begin with the outline of the server coverage – ServerWSUSPolicy.

Group Policy settings which are answerable for the operation of the Windows Update service are positioned within the following GPO part: Computer Configuration -> Policies –> Administrative templates-> Windows Component-> Windows Update.

Windows Update Settings for servers using GPO

In our surroundings, we advise to use this coverage to set up updates from WSUS on Windows servers. All the computer systems that fall below this coverage are assigned to the Servers group within the WSUS console. In addition, we wish to disable the automated updates set up on the servers when they’re obtained. The replace shopper ought to simply obtain the accessible updates to native drive, show the corresponding notification within the system tray and look ahead to administrator to manually begin the set up (domestically or remotely utilizing the PSWindowsUpdate module). This signifies that productive servers gained’t robotically set up updates and restart with out administrator affirmation (normally these duties are carried out by the system administrator as a part of the month-to-month scheduled upkeep). To implement such a scheme, let’s set the next insurance policies:

  • Configure Automatic Updates: Enable. Three – Auto obtain and notify for set up – shopper robotically downloads new updates and notifies you about them;
  • Specify Intranet Microsoft replace service location: Enable. Set the intranet replace service for detecting updates:, Set the intranet statistics server: – set the tackle of the native WSUS server and the statistics server (normally they’re the identical);
  • No auto-restart with logged on customers for scheduled automated updates installations: Enable – disable automated restart if the person session is open;
  • Enable client-side focusing on: Enable. Target group identify for this pc: Servers – within the WSUS console, assign purchasers to the Servers group.

wsus gpo settings workstations summary

Note. When you configure replace coverage, we advocate you to get acquainted with all of the settings which are accessible in every choice of Windows Update GPO part, and set the parameters appropriate to your infrastructure and group.

WSUS Group Policy for Windows Workstations

We assume that in distinction to the server coverage, updates to the shopper workstations are put in robotically at evening instantly after receiving the updates. Computers after the set up of updates ought to restart robotically (having notified the person in 5 minutes).

In this GPO (WorkstationWSUSPolicy) we specify:

  • Allow Automatic Updates instant set up: Disabled – the instant set up of updates after they’re obtained is disabled;
  • Allow non-administrators to obtain replace notifications: Enabled – show notifications of the brand new updates to non-administrators and permits to set up them manually;
  • Configure Automatic Updates: Enabled. Configure automated updating: Four – Auto obtain and schedule the set up. Scheduled set up day: zero – Every day. Scheduled set up time: 05:00 – a shopper downloads new updates and plans to set up them robotically at 5:00 am;
  • Target group identify for this pc: Workstations – within the WSUS console, assign the shopper to the Workstations group;
  • No auto-restart with logged on customers for scheduled automated updates installations: Disabled ;
  • Specify Intranet Microsoft replace service location: Enable. Set the intranet replace service for detecting updates:, Set the intranet statistics server: – is the tackle of the company WSUS server.

In Windows 10 1607 and better, even though you’ve specified to obtain updates from the interior WSUS, Windows 10 should still attempt to entry the Windows Update servers on the Internet. This “function” known as Dual Scan. To disable receiving updates from the Internet, you want to moreover allow the coverage Do not permit replace deferral insurance policies to trigger scans in opposition to Windows Update (ref.).

Tip. To let the computer systems within the firm have all accessible patches put in, each insurance policies could be configured in order that the replace service (wuauserv) is pressured to begin on the shopper. To do it, below Computer Configuration -> Policies-> Windows Settings -> Security Settings -> System Services discover Windows Update and set it to begin robotically (Automatic).  Windows Update Service Automatic Start

Assigning the WSUS Group Policies to the AD OUs

The subsequent step is to assign the created insurance policies to the corresponding Active Directory containers (OU). In our instance OU construction is very simple: there are two containers – Servers (it accommodates all servers of the corporate, excluding the area controllers) and WKS (Workstations – customers’ computer systems).

Tip. We think about solely a reasonably easy method of binding the WSUS insurance policies to purchasers. In actual world, it’s attainable to hyperlink a single WSUS coverage to all area computer systems (a GPO is assigned to the area root), distribute several types of purchasers throughout completely different OUs (as in our instance, we created completely different WSUS insurance policies for servers and workstations). In giant distributed domains it’s value to hyperlink completely different WSUS servers to AD websites, or to assign a GPO primarily based on the WMI filters, and even mix these strategies.

To assign the coverage to the OU, click on the right OU within the Group Policy Management Console, choose Link an Existing GPO, after which examine the suitable coverage.

linking wsus gpo to active directory ou

Tip. Don’t neglect in regards to the a separate OU – Domain Controllers. In most instances the WSUS Server coverage ought to be linked to this container.

You have to assign WorkstationWSUSPolicy to the AD container with the identify WKS (the place the Windows workstations are positioned) in the identical method.

It stays to replace the group insurance policies on purchasers to bind the shopper to the WSUS server:

All Windows replace settings that we set by way of the group insurance policies ought to seem on the shopper’s in registry key HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsWindowsUpdate.

The following reg file can be utilized to switch WSUS settings to different computer systems on which you can’t configure replace settings utilizing GPO (computer systems in a workgroup, remoted segments, DMZ, and so forth.)

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsWindowsUpdate] "WUServer"=""
[HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsWindowsUpdateAU] "NoAutoUpdate"=dword:00000000 –

reg file with wsus settings

It can be handy to management the utilized WSUS settings on purchasers utilizing the rsop.msc snap-in.

In a while (it is determined by the variety of updates and bandwidth to the WSUS server) examine if there’s a pop-up notification of the brand new updates within the tray. Clients (the shopper’s identify, an IP, an OS, patch proportion and the date of the final standing replace) ought to seem within the corresponding teams within the WSUS console. Since we assigned the computer systems and servers to the completely different WSUS teams utilizing GPO, they are going to solely obtain updates authorized for set up on the corresponding WSUS teams.

windows clients in wsus console

Note. If the updates don’t seem on the shopper, it’s advisable to rigorously study the Windows replace service log (C:WindowsWindowsUpdate.log). Please be aware that Windows 10 (Windows Server 2016) makes use of a unique format of the WindowsUpdate.log file.

The shopper downloads updates to the native folder C:WindowsSoftwareDistributionDownload.

To begin the seek for new updates on the WSUS server instantly, you want to run the command:

Also, generally you’ve to power the shopper to re-register on the WSUS server:

wuauclt /detectnow /resetAuthorization

In significantly troublesome instances, you’ll be able to attempt to repair the wuauserv service as follows. If an error 0x80244010 happens when receiving updates on purchasers, attempt altering the frequency of checking for updates on the WSUS server utilizing the Automatic Update detection frequency coverage to Three-Four hours.

In the following articles we’ll describe the peculiarities of the replace approval on the WSUS server, and the way to switch authorized updates between teams to a WSUS server utilizing PowerShell.

Check Also

RDP Brute Force Protection with PowerShell and Windows Firewall Rules

I’ve had an thought to write down a easy PowerShell script to routinely block (blacklist) …

Leave a Reply

Your email address will not be published. Required fields are marked *