Windows OS Hub
  • Windows
    • Windows 11
    • Windows Server 2022
    • Windows 10
    • Windows Server 2019
    • Windows Server 2016
  • Microsoft
    • Active Directory (AD DS)
    • Group Policies (GPOs)
    • Exchange Server
    • Azure and Microsoft 365
    • Microsoft Office
  • Virtualization
    • VMware
    • Hyper-V
  • PowerShell
  • Linux
  • Home
  • About

Windows OS Hub

  • Windows
    • Windows 11
    • Windows Server 2022
    • Windows 10
    • Windows Server 2019
    • Windows Server 2016
  • Microsoft
    • Active Directory (AD DS)
    • Group Policies (GPOs)
    • Exchange Server
    • Azure and Microsoft 365
    • Microsoft Office
  • Virtualization
    • VMware
    • Hyper-V
  • PowerShell
  • Linux

 Windows OS Hub / Windows Server 2022 / Managing Windows Update Settings with Group Policy

December 11, 2024 Group PoliciesWindows Server 2022

Managing Windows Update Settings with Group Policy

Group Policies allow centrally configuring Windows Update settings that determine how updates are received and installed on workstations and servers in a domain network. In this article, we’ll look at the basic GPO options that you can use to manage Windows Update settings on computers that receive updates from an intranet WSUS server or directly from Windows Update servers on the Internet.

Contents:
  • Configure Windows Update GPO Settings for WSUS Clients
  • Assign the Windows Update GPOs to the WSUS Clients
  • Applying Windows Update Group Policy to Client Computers
  • Configure Clients to Receive Updates from the Internet via GPO

Configure Windows Update GPO Settings for WSUS Clients

Once you have installed the local Windows Server Update Services (WSUS) host, configure the workstations and servers in your Active Directory to receive updates from it (instead of from Microsoft Update servers over the Internet).

In our example, we want to create two different update installation policies for workstations and servers. To do this, open the WSUS management console (wsus.msc) on the server and create two computer groups under the Computers -> All Computers section.

  • Workstations
  • Servers

Then open the WSUS Options and in the Computers parameter, change the value to Use Group Policy or registry setting on computers.

wsus gpo client side targeting

This option enables client-side targeting for WSUS clients. This allows computers to be automatically assigned to update groups using a special registry parameter that contains the WSUS computer group name (this registry parameter is set by GPO or by direct registry modification).

Then open the Group Policy Management console (gpmc.msc) and create two new GPOs: ServerWSUSPolicy and WorkstationWSUSPolicy.

Let’s start with the description of the server update policy, named ServerWSUSPolicy.

The settings for the Windows Update service are located in this GPO section: Computer Configuration -> Policies –> Administrative Templates -> Windows Component-> Windows Update.

Windows Update Settings for servers using GPO

The server update policy should prevent production servers from automatically installing updates or restarting without the administrator’s approval. Let’s configure the GPO so that the servers automatically download available updates, but do not install them. During scheduled maintenance windows, administrators can manually initiate the installation of updates (from the Settings app or using the PSWindowsUpdate module).

Configure the following policy options:

  • Configure Automatic Updates: Enable. 3 – Auto download and notify for install – client automatically downloads new updates and notifies about them;
  • Specify Intranet Microsoft update service location: Enable. Set the intranet update service for detecting updates: http://hq-wsus.woshub.com:8530, Set the intranet statistics server: http://hq-wsus.woshub.com:8530 – set the address of the local WSUS server and the statistics server (they are usually the same)
  • No auto-restart with logged on users for scheduled automatic updates installations: Enable – disable the automatic restart if there are active user sessions
  • Enable client-side targeting: Enable. Target group name for this computer: Servers – assign clients to the Servers group in the WSUS console.

wsus gpo settings workstations summary

For workstations, we want to enable Windows Update to automatically download and install new updates as they become available. Users’ computers should be automatically rebooted (with user notification) after installing updates during non-working hours.

Configure the following settings in the WorkstationWSUSPolicy GPO:

  • Allow Automatic Updates immediate installation Disabled —prevent updates from being installed as soon as they are received;
  • Allow non-administrators to receive update notifications Enabled — show non-admin users a notification about new updates and allow manual installation;
  • Configure auto-restart reminder notifications for updates and Configure auto-restart warning notifications schedule for updates: Enabled – display reboot notifications to users
  • Configure Automatic Updates: Enabled . Configure automatic updating: 4 — Auto download and schedule the install . Scheduled install day: 0 — Every day . Scheduled install time: 05:00AM – client downloads new updates and schedules them to install automatically at 5:00 am;
  • Enable client-side targeting: Workstations – this will assign the client to the Workstations group in the WSUS console;
  • No auto-restart with logged on users for scheduled automatic update installations: Disabled
  • Specify Intranet Microsoft update service location: Enabled. Set the intranet update service for detecting updates: http://hq-wsus.woshub.com:8530, Set the intranet statistics server: http://hq-wsus.woshub.com:8530</emcode– is the address of the internal WSUS server.
  • Enable Do not allow update deferral policies to cause scans against Windows Update (so-called Dual Scan) and Do not connect to any Windows Update Internet locations. This prevents the client from contacting Windows Update servers on the Internet.
  • Turn off auto-restart for updates during active hours – Enabled  Disable automatic restart after installing updates during working hours (set the working time interval in the Active Hours Start and Active Hours End options. For example, from 8 AM to 5 PM

Force the Windows Update service (wuauserv) to start automatically on domain computers in both GPOs. To do this, go to Computer Configuration -> Policies-> Windows Settings -> Security Settings -> System Services, find the Windows Update service, and set it to start automatically.

Windows Update Service Automatic Start

Assign the Windows Update GPOs to the WSUS Clients

Then link the policies you have created to the appropriate containers (OUs) in the GPO management console (It is assumed that separate Organizational Units are created in AD for server and workstation objects).

Tip. We considered only one fairly simple strategy for linking WSUS update policies to clients.  In real-world organizations, it is possible to link a single WSUS policy to all domain computers (GPO with WSUS settings attached to a domain root) or to distribute different types of clients across different OUs (as in our example, we have created different WSUS policies for the server and the workstations.). In large distributed domains, you may want to link different WSUS servers to AD sites, link GPOs based on WMI filters, or use a combination of the above methods.

In the Group Policy Management console, click on the required OU, select Link an Existing GPO, and select ServerWSUSpolicy.

linking wsus gpo to active directory ou

Tip. Also, link the WSUS server policy to the Domain Controllers OU.

Similarly, assign the Workstation Update policy to the OU containing the users’ computers.

Updates must first be approved for deployment on the WSUS server (either manually or automatically) before clients can receive and install them.

Applying Windows Update Group Policy to Client Computers

Wait for the new GPO settings to be applied to the clients, or update them manually:
gpupdate /force
To force the clients to check in and report their status to the WSUS server, run:

$updateSession = new-object -com "Microsoft.Update.Session"; $updates=$updateSession.CreateupdateSearcher().Search($criteria).Updates
wuauclt /reportnow

To force the client computer to re-register on the WSUS server, use the command:

wuauclt /detectnow /resetAuthorization

Completely reset the Windows Update agent settings on a computer.

Any Windows Update settings set through Group Policy should appear on the client in the registry key HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate. This reg key can be exported to a REG file and used to apply WSUS update settings to other computers that cannot be configured via GPO (computers in workgroups, isolated segments, DMZ, etc.)

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]
"WUServer"="http://hq-wsus.woshub.com:8530"
"WUStatusServer"="http://hq-wsus.woshub.com:8530"
"UpdateServiceUrlAlternate"=""
"TargetGroupEnabled"=dword:00000001
"TargetGroup"="Servers"
"ElevateNonAdmins"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU]
"NoAutoUpdate"=dword:00000000 –
"AUOptions"=dword:00000003
"ScheduledInstallDay"=dword:00000000
"ScheduledInstallTime"=dword:00000003
"ScheduledInstallEveryWeek"=dword:00000001
"UseWUServer"=dword:00000001
"NoAutoRebootWithLoggedOnUsers"=dword:00000001

reg file with wsus settings

After a while, clients will appear in their assigned computer groups in the WSUS console. Here you can see computer names, IP addresses, OS versions, the percentage of assigned patches they have installed, and the date of the last scan.

windows clients in wsus console

Client computers download the CAB update files to the %windir%\SoftwareDistribution\Download directory. The WindowsUpdate.log files provide detailed logs of how the client scans for updates against WSUS, downloads, and installs them.

windows update downloads cab files to softwaredistribution directory

If you encounter error 0x80244010 when getting updates on clients, try changing the frequency of checking for updates on the WSUS server using the Automatic Update detection frequency policy option.

Configure Clients to Receive Updates from the Internet via GPO

Suppose you don’t have an intranet WSUS server. In that case, you can use the GPO settings discussed above to configure the settings for automatically receiving and installing updates on client computers from the Internet (from Windows Update servers).

In this case, set any GPO parameters that set receiving updates from WSUS to Not Configured:

  • Specify Intranet Microsoft update service location: Not Configured
  • Target group name for this computer: Not Configured
  • Do not allow update deferral policies to cause scans against Windows Update: Disabled
  • Do not connect to any Windows Update Internet locations: Disabled

Windows Update GPO settings for getting updates from Microsoft Update services on the Internet

These GPO settings control how your domain computers download and install Windows updates from Microsoft Internet Update servers.

5 comments
5
Facebook Twitter Google + Pinterest
previous post
How to Convert Install.ESD to the Bootable .ISO Image in Windows 10
next post
How to See Number of Active User Sessions on IIS WebSite

Related Reading

Configure NTP Time Source for Active Directory Domain

May 6, 2025

How to Cancel Windows Update Pending Restart Loop

May 6, 2025

View Windows Update History with PowerShell (CMD)

April 30, 2025

Cannot Install Network Adapter Drivers on Windows Server

April 29, 2025

Allowing Ping (ICMP Echo) Responses in Windows Firewall

April 15, 2025

5 comments

Indresh June 10, 2020 - 11:51 am

What are the configuration need to be done on WSUS server, like Pre-approved / Auto Approve updates.
If we don’t approve update on WSUS will it get downloaded on clientt machine?

Reply
djoeksanovic November 17, 2022 - 3:38 pm

hello.

i am trying your solution, but when i run the powershell command: get-windowsupdatelog.
the clients are getting the correct target group. but the servers goes to the unassigned computers group.
how come?

Reply
admin January 8, 2023 - 1:01 pm

Check the following:
1) The option “Use Group Policy or registry settings on computers” should be enabled in the WSUS settings,
2) Check the resulting Group Policy settings on the client using rsop.msc. Make sure that the GPO sets the value for the “Target group name for this computer” parameter on the client. If not, check why your GPO is not applied (https://woshub.com/group-policy-not-applied-troubleshooting/)

Reply
Charlie January 15, 2025 - 4:13 pm

how to work in the subgroups to implement the policies
I have the following structure
canada —> information_technology —> infrastructure

but if I apply policies to the two subgroups information_technology and infrastructure I only see the information_technology equipment the infrastructure equipment is grouped in unassigned computers.

If I delete or disable the information_technology gpo then I see the computers in infrastructure but for obvious reasons to be disabled the gpo in information_technology no longer show computers.

Translated with DeepL.com (free version)

Reply
admin January 24, 2025 - 8:07 am

Changing the GPO priority (Link processing order) in the Infrastructure OU can fix this.
The GPO with the lowest link order will be processed last. This should be the Infrastructure GPO in your case.

Reply

Leave a Comment Cancel Reply

join us telegram channel https://t.me/woshub
Join WindowsHub Telegram channel to get the latest updates!

Categories

  • Active Directory
  • Group Policies
  • Exchange Server
  • Microsoft 365
  • Azure
  • Windows 11
  • Windows 10
  • Windows Server 2022
  • Windows Server 2019
  • Windows Server 2016
  • PowerShell
  • VMware
  • Hyper-V
  • Linux
  • MS Office

Recent Posts

  • Cannot Install Network Adapter Drivers on Windows Server

    April 29, 2025
  • Change BIOS from Legacy to UEFI without Reinstalling Windows

    April 21, 2025
  • How to Prefer IPv4 over IPv6 in Windows Networks

    April 9, 2025
  • Load Drivers from WinPE or Recovery CMD

    March 26, 2025
  • How to Block Common (Weak) Passwords in Active Directory

    March 25, 2025
  • Fix: The referenced assembly could not be found error (0x80073701) on Windows

    March 17, 2025
  • Exclude a Specific User or Computer from Group Policy

    March 12, 2025
  • AD Domain Join: Computer Account Re-use Blocked

    March 11, 2025
  • How to Write Logs to the Windows Event Viewer from PowerShell/CMD

    March 3, 2025
  • How to Hide (Block) a Specific Windows Update

    February 25, 2025

Follow us

  • Facebook
  • Twitter
  • Telegram
Popular Posts
  • Using WMI Filters to Target Group Policies in Active Directory
  • Set Desktop Wallpaper and Logon Screen Background via Group Policy
  • How to Configure and Deploy Screensaver on Windows with Group Policy
  • Fix: Slow Logins Caused by Long Group Policy Processing
  • Using WMI Filter to Apply Group Policy to IP Subnet
  • Managing Windows 10 Start Menu Layout and Taskbar Pin Apps With GPO
  • How to Deploy Certificates to Computers Using Group Policy
Footer Logo

@2014 - 2024 - Windows OS Hub. All about operating systems for sysadmins


Back To Top