Posted on September 18, 2014 · Posted in Windows Server 2012

Group Policy Settings to Deploy Updates using WSUS

In one of the previous articles we have described the installation of a WSUS server on Windows Server 2012 in detail. The next step – configure Windows clients to use a deployed WSUS server. In this article we will consider how to configure clients of the WSUS server using Active Directory GPO (Group Policies).

AD Group Policies allow the administrator to automatically assign computers to different WSUS groups, saving him the trouble of manually moving the computers between groups in the WSUS console and support these groups up-to-date. Assigning clients to different target WSUS groups is based on labels on the client itself (labels are set by a GPO or a direct registry modification). This kind of client association to the WSUS groups is called client side targeting.

It is expected that our network will use two different update policies: one for servers (Servers) and another one for workstations (Workstations).

Tip. The policy of using the WSUS server by its clients depends largely on the organizational structure of the Active Directory OU (organization units) and update installation rules in the company. In this article we will try to understand the basic principles of using AD policies to install Windows updates.

First of all, you have to specify the rule of grouping the computers in the WSUS console (targeting). By default, the computers in the WSUS console are distributed into groups manually by the server administrator (server-side targeting). It does not suit us, so we specify that the computers are to be distributed into groups using the client side targeting (group policies or registry parameters). To do this, in the WSUS console click Options and open Computers. Change the value to Use Group Policy or registry settings on computers. wsus gpo client side targeting

Next we will configure WSUS clients via GPO.  Open the Group Policy Management console and create two new group policies: ServerWSUSPolicy and WorkstationWSUSPolicy.

WSUS Group Policy for Windows servers

Let’s start with the description of the server policy ServerWSUSPolicy.

For group policy settings of Windows Update Services, see the following GPO section: Computer Configuration -> PoliciesAdministrative templates-> Windows Component-> Windows Update

Windows Update Settings in GPO

In our environment, we suggest to use this policy to install WSUS updates to Windows servers. All the computers that fall under this policy are assumed to belong to the Servers group in the WSUS console. Besides, we want to disable the automatic installation of updates on the servers when they are received. A WSUS client should just download the available updates, display the corresponding notification in the system tray and wait for administrator approval to begin the installation. Thus we guarantee that the productive servers will not automatically install updates and restart without the permission of the administrator (usually these actions are performed by the system administrator as part of the planned routine works). To implement such scheme, let’s set the following policies:

  • Configure Automatic Updates: Enable. 3 – Auto download and notify for install – client automatically downloads new updates and notifies you about them
  • Specify Intranet Microsoft update service location: Enable. Set the intranet update service for detecting updates: http://, Set the intranet statistics server: http:// – set the address of the local WSUS server and the statistics server (usually they are the same)
  • No auto-restart with logged on users for scheduled automatic updates installations: Enable – disable automatic restart if the user session is open
  • Enable client-side targeting: Enable. Target group name for this computer: Servers – in the WSUS console, refer clients to the group of Servers

wsus gpo settings workstations summary

Note. When you configure update policies, we recommend you to get acquainted with all the settings that are available in each option of Windows Update section, and set the parameters suitable for your infrastructure and organization.

WSUS Group Policies for Workstations

We assume that in contrast to the server policy, updates to the client workstations are installed automatically at night after receiving the updates. After the updates are installed, the PCs are restarted automatically (having notified the user in 5 minutes).

In this policy, we specify:

  • Allow Automatic Updates immediate installation: Disabled – the immediate installation of updates after they are received is disabled
  • Allow non-administrators to receive update notifications: Enabled – display notifications of the new updates to non-administrators and allows to install them manually
  • Configure Automatic Updates: Enabled. Configure automatic updating: 4 – Auto download and schedule the install. Scheduled install day: 0 – Every day. Scheduled install time: 05:00 – a client downloads new updates and plans to install them automatically at 5:00 am
  • Target group name for this computer: Workstations – refers clients to the group Workstations in the WSUS console
  • No auto-restart with logged on users for scheduled automatic updates installations: Disabled
  • Specify Intranet Microsoft update service location: Enable. Set the intranet update service for detecting updates: http://, Set the intranet statistics server: http:// is the address of the corporate WSUS server

Windows Update Service Automatic Start

Tip. To let the computers in the company have all available patches installed, both policies can be configured so that the update service (wuauserv) is forced to start on the client. To do it, under Computer Configuration -> Policies-> Windows Settings -> Security Settings -> System Services find Windows Update and set it to start automatically (Automatic).

Assign the WSUS Policies to Active Directory OU

The next step is to assign the created policies to the corresponding Active Directory containers (OU). In our example OU structure is extremely simple: there are two containers – Servers (it contains all servers of the company, as well as domain controllers) and WKS (Workstations – user computers).

Tip. We consider only a fairly simple option of binding the WSUS policies to clients. In real world, it is possible to bind a single WSUS policy to all domain computers (a GPO is assigned to the domain root), distribute different computers between different OUs (like in our example), in distributed networks it’s worth to bind different WSUS servers to the AD sites, or to assign a GPO based on the WMI filters, or even combine these methods.

To assign the policy to the OU, click the correct OU in the Group Policy Management Console, click Link an Existing GPO, and then check the appropriate policy.

linking wsus gpo to active directory ou

Tip. Don’t forget about the OU Domain Controllers. In most cases the WSUS Server policy should be bound to this container.

You have to assign WorkstationWSUSPolicy to the AD container with the name WKS in the same way.

Now you only have to update group policies on the clients:

gpupdate /force

In some time (it depends on the number of updates and bandwidth to the WSUS server) check if there is a pop-up notification of the new updates in the tray. Clients (the client’s name, an IP, an OS, patch percentage and the date of the last status update) should appear in the corresponding groups in the WSUS console.

windows clients in wsus console

Note. If the updates do not appear on the client, it’s recommended to study the log of Windows Update service on the client that has faced the problem (C:\Windows\WindowsUpdate.log). The downloaded updates are saved to C:\Windows\SoftwareDistribution\Download. You can try to run an immediate poll of the WSUS server by its client:

wuauclt /detectnow

Also, sometimes you have to force the client to re-register on the WSUS server:

wuauclt /detectnow /resetAuthorization

In the next article we’ll describe the peculiarities of the update approval on the WSUS server.

Related Articles