Once WSUS has been installed, the organization must decide on how to use WSUS to configure the the updates for the client servers under its control. Organizations which don’t use Active Directory or group policies will have to manually configure every client server’s settings with the location of the WSUS server. This can be done either through using a local policy or manually through the Registry settings.
However, in most circumstances the organization will be using Active Directory and can configure all clients.
Configuring WSUS Clients via Group Policy
A group policy in an Active Directory environment can be used to configure the Automatic Updates client which is included with all current versions of Windows. In Windows Server 2008 R2 the domain controllers automatically contain the correct Windows Update Group Policy extension, and a group policy can be defined by following the below steps :
- Launch Group Policy Management (available at - Start >All Programs > Administrative Tools > Group Policy Management).
- Navigate to the unit in your organization which will have the group policy applied, rightclick on the name of the unit, and then select Create a GPO in This Domain, and Link It Here.
- Add a name for the new GPO (there is also an option to start from the existing settings of a current GPO). Click OK.
- Right-click the your new GPO and then select Edit to start the Group Policy Management Editor and then expand it to Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Update.
- Double-click on the Configure Automatic Updates setting.
- Set the group policy which is to be enabled, and then configure the automatic updating sequence as required. The three options (2, 3, 4) enable different degrees of client intervention. To enable client-independent installation select option 4 (Auto-download and schedule the install)..
- Next, schedule the interval at which updates will be installed and note that some updates will require a reboot.
- Select Next Setting for more configuration options.
- Click Enabled to set the location of your organization’s WSUS server – it is recommended to enter the fully qualified domain name of the server. Enter both settings (normally the same server), and then hit OK to save the Group Policy settings. Then click Next Setting. (Note that organizations who elect to use a custom web IIS website will have to use Port 8530 for client access to WSUS, in which case enter the web location appended with port number, for example http://defr.winserverorg.com:8530, for both settings.
- Set the interval at which the the client will check for updates, and then click Next Setting.
- Review all the remaining option settings and configure them as required. Then click OK.
- Repeat the above 12 steps additional organizational units.
Depending on which settings are chosen by the Registry or group policy, clients which are managed by WSUS will automatically download updates throughout the day and then install the updates at a specified time. Client servers which are configured to use WSUS for updates will not be prompted to configure their Automatic Update settings, which will be grayed out to avoid changes from being made. Users without local admin access will not be able to make any changes to the installation schedule, although local admins users are able to postpone forced installs.
It is normally considered best practice to allow servers to control the download and install schedule, but force all clients to do both download and installation automatically.