In one of the previous articles we have described the installation of a WSUS server on Windows Server 2012 in detail. The next step – configure Windows clients to use a deployed WSUS server. In this article we will consider how to configure clients of the WSUS server using Active Directory GPO (Group Policies).
AD Group Policies allow the administrator to automatically assign computers to different WSUS groups, saving him the trouble of manually moving the computers between groups in the WSUS console and support these groups up-to-date. Assigning clients to different target WSUS groups is based on labels on the client itself (labels are set by a GPO or a direct registry modification). This kind of client association to the WSUS groups is called client side targeting.
It is expected that our network will use two different update policies: one for servers (Servers) and another one for workstations (Workstations).
First of all, you have to specify the rule of grouping the computers in the WSUS console (targeting). By default, the computers in the WSUS console are distributed into groups manually by the server administrator (server-side targeting). It does not suit us, so we specify that the computers are to be distributed into groups using the client side targeting (group policies or registry parameters). To do this, in the WSUS console click Options and open Computers. Change the value to Use Group Policy or registry settings on computers.
Next we will configure WSUS clients via GPO. Open the Group Policy Management console and create two new group policies: ServerWSUSPolicy and WorkstationWSUSPolicy.
WSUS Group Policy for Windows servers
Let’s start with the description of the server policy ServerWSUSPolicy.
For group policy settings of Windows Update Services, see the following GPO section: Computer Configuration -> Policies–Administrative templates-> Windows Component-> Windows Update
In our environment, we suggest to use this policy to install WSUS updates to Windows servers. All the computers that fall under this policy are assumed to belong to the Servers group in the WSUS console. Besides, we want to disable the automatic installation of updates on the servers when they are received. A WSUS client should just download the available updates, display the corresponding notification in the system tray and wait for administrator approval to begin the installation. Thus we guarantee that the productive servers will not automatically install updates and restart without the permission of the administrator (usually these actions are performed by the system administrator as part of the planned routine works). To implement such scheme, let’s set the following policies:
- Configure Automatic Updates: Enable. 3 – Auto download and notify for install – client automatically downloads new updates and notifies you about them
- Specify Intranet Microsoft update service location: Enable. Set the intranet update service for detecting updates: http:// wsus.woshub.com:8530, Set the intranet statistics server: http:// wsus.woshub.com:8530 – set the address of the local WSUS server and the statistics server (usually they are the same)
- No auto-restart with logged on users for scheduled automatic updates installations: Enable – disable automatic restart if the user session is open
- Enable client-side targeting: Enable. Target group name for this computer: Servers – in the WSUS console, refer clients to the group of Servers
WSUS Group Policies for Workstations
We assume that in contrast to the server policy, updates to the client workstations are installed automatically at night after receiving the updates. After the updates are installed, the PCs are restarted automatically (having notified the user in 5 minutes).
In this policy, we specify:
- Allow Automatic Updates immediate installation: Disabled – the immediate installation of updates after they are received is disabled
- Allow non-administrators to receive update notifications: Enabled – display notifications of the new updates to non-administrators and allows to install them manually
- Configure Automatic Updates: Enabled. Configure automatic updating: 4 – Auto download and schedule the install. Scheduled install day: 0 – Every day. Scheduled install time: 05:00 – a client downloads new updates and plans to install them automatically at 5:00 am
- Target group name for this computer: Workstations – refers clients to the group Workstations in the WSUS console
- No auto-restart with logged on users for scheduled automatic updates installations: Disabled
- Specify Intranet Microsoft update service location: Enable. Set the intranet update service for detecting updates: http:// wsus.woshub.com:8530, Set the intranet statistics server: http:// wsus.woshub.com:8530 is the address of the corporate WSUS server
Assign the WSUS Policies to Active Directory OU
The next step is to assign the created policies to the corresponding Active Directory containers (OU). In our example OU structure is extremely simple: there are two containers – Servers (it contains all servers of the company, as well as domain controllers) and WKS (Workstations – user computers).
To assign the policy to the OU, click the correct OU in the Group Policy Management Console, click Link an Existing GPO, and then check the appropriate policy.
You have to assign WorkstationWSUSPolicy to the AD container with the name WKS in the same way.
Now you only have to update group policies on the clients:
In some time (it depends on the number of updates and bandwidth to the WSUS server) check if there is a pop-up notification of the new updates in the tray. Clients (the client’s name, an IP, an OS, patch percentage and the date of the last status update) should appear in the corresponding groups in the WSUS console.
Also, sometimes you have to force the client to re-register on the WSUS server:
wuauclt /detectnow /resetAuthorization
In the next article we’ll describe the peculiarities of the update approval on the WSUS server.