Using Windows Server Update Services – WSUS

Once WSUS has been installed, the organization must decide on how to use WSUS to configure the the updates for the client servers under its control. Organizations which don’t use  Active Directory or group policies will have to manually configure every client server’s settings with the location of the  WSUS server. This can be done either through using a local policy or manually through the Registry settings.

However, in most circumstances the organization will be using Active Directory  and can configure all clients.

Configuring WSUS Clients via Group Policy

A group policy in an  Active Directory environment can be used to configure the Automatic Updates client which is included with all current versions of Windows. In Windows Server 2008 R2 the domain controllers automatically contain the correct Windows Update Group Policy extension, and a group policy can be defined by following the below steps :

  1. Launch Group Policy Management (available at  - Start >All Programs > Administrative Tools > Group Policy Management).
  2. Navigate to the unit in your organization which will have the group policy applied, rightclick  on the name of the  unit, and then select Create a GPO in This Domain, and Link It Here.
  3. Add a name for the new  GPO (there is also an  option to start from the existing settings of a current GPO). Click OK.
  4. Right-click  the your new  GPO and then select Edit to start the Group Policy Management Editor and then expand it to  Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Update.
  5. Double-click on the Configure Automatic Updates setting.
  6. Set the group policy which is to be enabled, and then configure the automatic updating sequence as required. The three options (2, 3, 4)  enable different degrees of client intervention. To enable client-independent installation select option 4 (Auto-download and schedule the install)..
  7. Next, schedule the interval at which  updates will be installed and note that  some updates will require a  reboot.
  8. Select Next Setting for more configuration options.
  9. Click Enabled to set the location of your organization’s WSUS server – it is recommended to enter the  fully qualified domain name of the server. Enter both settings (normally the same server), and then hit OK to save the Group Policy settings. Then click Next Setting. (Note that organizations who elect  to use a custom web IIS website will have to use Port 8530 for client access to WSUS, in which case enter the web location appended with port number, for example, for both settings.
  10. Set the interval at which the  the client will check for updates, and then click Next Setting.
  11. Review all the remaining option settings and configure them as required. Then click OK.
  12. Repeat the above 12 steps  additional organizational units.

Depending on which settings are chosen by the Registry or group policy,  clients which  are managed by WSUS will automatically download updates throughout the day and then install the updates at a specified time.  Client servers which  are configured to use WSUS for updates will not be prompted to configure their Automatic Update settings, which will be  grayed out to avoid  changes from being made. Users without local admin access will not be able to  make any changes to the installation schedule, although local admins users are able to  postpone forced installs.
It is normally considered best practice to  allow servers to control the download and install schedule, but force all clients to do both download and installation automatically.