Configuring WSUS with Group Policy
In this lecture, I am going to be showing you how to configure your WSUS clients with Group Policy.
Open the IPDC01 server and open Server Manager > Tools > Group Policy Management and create a new GPO.
Expand the Forest: instructorpaul.com > Domains > instructorpaul.com. Right-click instructorpaul.com and select from the context menu Create a GPO in this domain and link it here...
Name the GPO to something relevant to WSUS. Let’s call it WSUS Client Configuration and click OK.
Right-click the GPO and select Edit.
Navigate to Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update.
We have a lot of configurations but there’s really a couple we just have to do.
Choose Configure Automatic Updates by right-clicking on it and selecting Edit.
On the Configure Automatic Update settings window, we can configure the settings for every Windows computer in our domain.
Choose the Enabled radio button and under Options for the option to Configure automatic updating choose 4 - Auto download and schedule the install.
We do not want our users choosing whether or not to install their updates because most people avoid updating their workstations.
For the Scheduled install day, choose 0 - Every day, and for the Scheduled install time 22:00. Choose a day and time when your users are not using the workstation. If you have a 24/7 environment you can choose a weekend or a time when the business is low.
Check the Install updates for other Microsoft products check box.
The final result for our configuration looks like the following:
Now, let’s configure the Specify intranet Microsoft update service location setting. By default, our workstations will be downloading updates from Microsoft but we want to point our workstations to our WSUS server. Right-click and choose Edit.
Choose the Enabled radio button and type http://ipwsus01:8530 for both fields under the Options section. Click OK.
The last setting I recommend configuring is Automatic Updates detection frequency. Right-click the setting and choose Edit.
Choose the Enabled radio button. Change the interval to 1 hour and click OK.
The reason is that we are in a lab but in a production environment, the default of 22 hours will be fine to avoid network overload.
Now, close the Group Policy Management Editor and minimize the Group Policy Management.
Open a Command Prompt by clicking on the Windows icon to the bottom left and typing CMD and from the app right-click and select Run as administrator.
Type gpupdate /force.
Now type gpresult /r. This will list all the GPOs that are being applied to our computer and user accounts.
Since we configure it under Computer Configuration our policy will appear under Computer Settings with the name WSUS Client Configuration.
One last thing we want to check is the Registry Settings to make sure we are pointing to the correct server.
Click on the Windows icon to the bottom left and type regedit. This will show the regedit application. Click on it to open it up.
Now browse to HKEY_LOCAL_MACHINE > SOFTWARE > Policies > Microsoft > Windows > WindowsUpdate.
If we look at the right we can see WUServer and WUStatusServer have the options to our WSUS server. That means the GPO is working. Close the Registry Editor Window.
Now, we are going to force this computer to go ahead and check-in right now.
Click on the Windows icon on the bottom left and type wuauclt /detectnow.
We repeat the step and this time type wuauclt /reportnow.
Note that there’s no window that will pop up.
Open the WSUS console and check if the server IPDC01 is showing up on the list.
Sign up to access the rest of this lesson
You must either log in or sign up to access this lesson.