Configuring Group Policy Settings for WSUS
You can configure any single setting one time with Group Policy and have it apply to all the clients in a site, domain, or organizational unit (OU). If you want all the clients to receive their updates from your WSUS server, you can configure the clients with Group Policy. You can either create a new Group Policy object (GPO) or modify an existing one.
The Group Policy node that is configured is Computer Configuration → Policies → Administrative Templates → Windows Components → Windows Update.
GPO setting that can be manipulated to configure clients for Automatic Updates. Once the setting is set to Enabled, you can select one of four settings from the Configure Automatic Updating drop-down box.
The choices available from the Configure Automatic Updating drop-down box are numbered 2 through 5. If Configure Automatic Updates is set to Disabled, updates must be downloaded and installed manually, and this value is 1 (which isn't selectable from the drop-down box). The four choices numbered 2 through 5 are as follows:
2 - Notify for Download and Notify for Install When updates become available for download, an icon appears in the status area of the taskbar to inform the user that updates are available, but the update is not automatically downloaded. This can be used for clients located in remote sites who need to connect to the WSUS server over a slow wide area network connection. However, it has an inherent risk because it depends on the user to download and install the updates.
3 - Auto Download and Notify for Install This is the default setting when this Group Policy setting is enabled, but it is not the best setting. The update is downloaded based on the schedule but not installed. An icon appears in the status area that the user can click to initiate the installation. Just as with the previous option, it has an inherent risk because it depends on the user to take action to install the updates.
4 - Auto Download and Schedule the Install When using WSUS, this is the commonly used setting. The update is automatically downloaded to the client, and the installation of the update is scheduled. By default, the scheduled install occurs every day at 3:00 AM, though you can change the day and time setting.
5 - Allow Local Admin To Choose Setting This option allows a local administrator to select one these options. However, the local administrator cannot disable Automatic Updates. In other words, Automatic Updates will be scheduled, but the local administrator can choose whether the update is automatically downloaded and/or automatically installed via the Windows Update console.
The Specify Intranet Microsoft Update Service Location Properties setting. You'd use this to confi gure the clients to use the WSUS server for updates instead of getting updates from the Windows Update site.
The WSUS statistics server is a single WSUS server that collects information from all WSUS-managed clients in the enterprise.
Note If your environment has multiple WSUS servers, you can direct some clients to use one WSUS server with one GPO and direct other clients to use other WSUS servers with other GPOs However, a central WSUS server would still be used for overall statistics in the enterprise, so the intranet statistics server setting would be the same for all clients in the enterprise.
You can also configure how often clients check to see if updates are available. The Automatic Updates Detection Frequency with an interval of 20 hours selected. This time isn't specific but is instead randomized around the number entered.
The actual time when a client is checked is a random number between 80 percent of the given number and 120 percent of the number. With the number at 20, the client would check at some point between 16 hours (20 x 0.80) and 24 hours (20 x 1.2) after the last check. The default setting is 22, causing clients to check for updates at random intervals of between about 17.6 and 26.4 hours. Other Group Policy settings exist that can be manipulated, but these are the common ones.
In this tutorial:
- Windows 7 and Other software Up to Date
- Understanding Windows Live
- Updates versus upgrades
- Why updates are important
- Windows Update
- Windows Update: The essentials
- Types of Updates
- Completing an Update
- Configuring automatic Updating
- Windows Update Applet and Functions
- Manually Install Updates Using Windows Update
- Action Center
- Updates Do Not Install Properly
- Other Windows Update Settings
- Configuring Windows 7 Update to Use a Proxy Server
- Can't Find Hidden Update
- Viewing and Changing Installed Updates
- Can't Uninstall Current Update
- Upgrade Windows Anytime
- Understanding Windows Server Update Services
- Windows Update Policies
- Updating Drivers
- Using Device Manager to Update Drivers
- Windows Update Driver Settings
- Windows 7 Service Packs
- Basic Service Pack Information
- Installation of Service Packs
- Installing and Removing Software
- Installation via CD or DVD
- Problem Installing from Disc
- Installation via Downloaded Program
- Viewing and Changing Programs
- Uninstalling Software
- Compatibility Issues in 64-Bit Version
- Upgrade Issues with 64-Bit Windows 7
- Other Program Compatibility Issues
- Side-by-Side Installs and Virtual Registries
- Removing Updates from Windows 7
- Thwarting Exploits with DEP
- Microsoft Baseline Security Analyzer
- Picking Computers to Scan
- Vulnerability Checks
- Installing MBSA
- Running the MBSA
- Running the MBSACLI
- MBSACLI Location
- Running in an Isolated Environment
- Using Windows Server Update Services
- WSUS Updates
- WSUS Requirements
- Installing, Configuring, and Using WSUS
- Adding the Application Server and Web Server (IIS) Roles
- Installing the Report Viewer
- Installing WSUS
- Configuring Group Policy Settings for WSUS
- Creating a GPO to Configure Clients to Use WSUS
- Verifying That Clients Are Using GPO Settings for WSUS
- Verifying That Clients Are Using GPO Settings with GPResult
- Creating Computer Groups on WSUS
- Approving Updates in WSUS
- Viewing WSUS Reports