WSUS Tutorial Part 5: Client settings

Home / WSUS Tutorial Part 5: Client settings

Welcome to my tutorial for the Windows Server Update Services Part 5: Client settings

This article covers how to make your clients and servers contacting your WSUS server for updates and reporting. It won’t cover all option available, but gives you the basic tools to create your policies.

This tutorial will set all settings via Group Policies. You can set the settings manually via registry keys, but GPOs should be preferred.

Please refer to your company’s policies for group policies before proceeding. You might have to adjust your GPOs accordingly.

Client’s Group Policy

We will create 2 different GPOs:
-One for your clients, which defines your WSUS as source. They will automatically search for updates daily at 12pm (noon) and install them if available.
-One for your servers. Again is your WSUS the source, but your servers will download the updates only.

Open your Group Policy Management console.

Click through the tree view on the left side until you see the organizational unit with your clients. Right click it and select “Create a GPO in this domain, and link it here…”.

Create new GPO

Create new GPO


This will open a new dialog, allowing you to name your new GPO. I will call it CC_WindowsUpdate-settings-clients. CC for computer configuration as the Windows Update settings are defined in the computer configuration section. Click Ok to create your GPO.
Name the new GPO

Name the new GPO

Now expand your OU on the left side and search for your newly created GPO and click on it. On the right side opens a tab “scope”. It should look something like this:

GPO summary

GPO summary

You see that in my case it is linked to the OU “Clients” and it is available for “Authenticated Users” (Which is a bit misleading as this includes all domain computers too. If you prefer to have it understandable easily, change that to the group “Domain Computers”.

Click on the tab “Details”. This page shows you some meta data about your policy. Click on the drop-down menu “GPO Status” and change it to “User configuration settings disabled”. This tells your clients that this GPO does not contain user configuration settings, which accelerates the processing (at little bit).

Disable user configuration

Disable user configuration

The “Settings” tab shows you which settings are contained in that GPO. As we did not have defined anything, It just shows you information from the other tabs.

“Delegation” shows you the permissions for users, computers and groups.

So, now we are going into the GPO. Right click your GPO’s entry on the left side an select “Edit…”. This open the Group Policy Management Editor with your GPO.

GPO editor

GPO editor

Open the following path on the left: Computer Configuration > Policies > Administrative Templates (This might take a while to load) > Windows Components > Windows Update
All available settings are listed on the right side. If a setting has been set, its state is listed as enabled or disabled. Otherwise it is “Not configured”. You can define/change them by double clicking.

First define your WSUS as update source and reporting target: Open the policy “Specify intranet Microsoft update service location”. Click “Enabled” on the top to activate the text fields. You need do define your WSUS as web address. So start with http:// or -if you have set up SSL- https:// and then add the full qualified name of your server or the alias (server01.mycompany.com or wsus.mycompany.com). Finally add the port. For non-ssl it is :8530, for SSL :8531 (Include the colon).
We assume that you are using SSL with an alias. That would make your address: https://wsus.mycomany.com:8531

Specify intranet location

Specify intranet location

The next important policy is “Configure Automatic Updates”. Open it with a double click and set it to “Enabled”.
We want to let the clients search for updates daily at 12pm and install any update when it becomes available.
Set “Configure automatic updating” to “4 – Auto download and schedule install. The download of updates will happen when the client contacts your WSUS (Normally after boot and every 22 hours as long as you did not specify a different interval.
Schedule install day is “0 – Every Day” and Schedule install time is “12pm” (Or in my image “12:00”). Additionally check “Every week” and leave the other options unchecked. Now check “Install updates for other Microsoft products” and close the dialog with “Ok”.

Configure automatic updates

Configure automatic updates

That’s all for now for your clients. You can get through the other policies as well if you want to define your update mechanism further.

Close all dialog and the editor. Your changes are saved automatically.

Server’s Group Policy

For your server policy the way is pretty identically. Create a new GPO in your servers’ OU and name it CC_WindowsUpdate-settings-server. Disable the user configuration and open it in the editor (Double click on the policy in the tree view on the left).
Open the following path on the left: Computer Configuration > Policies > Administrative Templates (This might take a while to load) > Windows Components > Windows Update
Specify your WSUS in the policy “Specify intranet Microsoft update service location”.

Now open the policy “Configure Automatic Updates”.
Set it to enabled and change “Configure automatic updating” to “3 – Auto download and notify for install”. Now check “Install updates for other Microsoft products” and close the dialog with “Ok”.

Configure server updates

Configure server updates

Apply to clients/servers

That’s all for. Your clients and servers will change the settings with the next group policy refresh. Please note that the settings will take effect after a reboot or after restarting the Windows Update service (wuauserv).

Leave a Reply

Your email address will not be published.