In the previous articles, we have described the steps on How to Install and Configure the WSUS server role on Windows Server 2019. In this post, we will configure the group policy settings to deploy automatic updates for client computers.

Overview:

After installing and configure the WSUS server role, the next step is to configure group policy settings to determine how WSUS clients will receive the updates.

We need to direct each client to communicate with WSUS Server to check for new updates instead of using Microsoft Update over the Internet. Using group policy, you can point your client machines to use the local WSUS server instead of Microsoft Update Server.

With an active directory environment, you can use Group Policy to specify the WSUS server. You can create the group policy and apply it at the domain level. You can also apply the GPO to a specific OU if you want to target specific computers only.

Steps to create a new GPO:

Login to your domain controller and open Server Manager.

1_on_domain_controller

From Server Manager, click on Tools. Then select Group Policy Management.

2_open_group_policy_management_console

Expand your domain name. Then expand the Group Policy Objects container.

3_expand_group_policy_objects

To create a new GPO, Right-click on the Group Policy Objects and select new.

4_create_a_new_group_policy_object

Give a meaningful name to the new GPO. For example, Test WSUS GPO. Click on OK.

5_give_a_meaningful_name_to_gpo

Steps to setup the WSUS group policy settings:

Right-click on newly created GPO and select edit.

6_edit_the_gpo

Navigate to Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update.

7_navigate_to_windows_update_section

There are several policies related to WSUS settings. Of course, you do not have to enable all of them. 

Locate and double-click a policy name “Specify Intranet Microsoft Update Service Location”.

8_specify_intranet_update_site

To enable the policy, select the Enabled radio button.

9_enable_the_policy

Specify the intranet update service and intranet statistics server. In our case, the location will be http://ws2k19-wsus.mylab.local:8530. Click Apply and OK.

10_save_the_changes

Locate and double-click on a “Configure Automatic Updates policy”.

11_configure_automatic_update_settings

Click Enabled and select one of the following options:

Notify for download and auto-install: This option notifies a logged-on administrative user before the download and before the installation of the updates.

Auto download and notify for install: This option automatically begins downloading updates and then notifies a logged-on administrative user before installing the updates.

Auto download and schedule the install: If Automatic Updates is configured to perform a scheduled installation, you must also set the day and time for the recurring scheduled installation.

Allow local admin to choose setting: With this option, the local administrators are allowed to use Automatic Updates in Control Panel to select a configuration option of their choice. For example, they can choose their own scheduled installation time. Local administrators are not allowed to disable Automatic Updates.

12_enable_the_policy

Once you ready, click on Apply and OK.

13_save_the_changes

Automatic Update detection frequency policy specifies the hours that Windows will use to determine how long to wait before checking for available updates. 

Double click on “Automatic Update detection frequency” policy.

14_automatic_update_detection_frequency

Set the option as per your requirement. Click on Apply and OK.

15_enable_the_policy_and_save_the_changes

Close the group policy editor console.

At a minimum, we need to configure these three policies for WSUS server.

Link the GPO to the OU containing computer accounts.

Steps to link the WSUS GPO to OU:

For this article, we have created one OU name TestServerAccounts. Under the OU we have stored the computer account of our member server WS2K19-SRV01. For testing purposes, we will link the GPO to this OU and check the result on the WS2K19-SRV01 server.

16_OU_with_computer_account

Right click on TestServerAccounts OU and select Link an existing GPO option.

17_link_an_existing_gpo_to_ou

Select the GPO which we have created earlier. Click on OK.

18_link_gpo_to_ou

Test the GPO settings:

It will take about 20 minutes after Group Policy refreshes the new settings to the client computer. By default, Group Policy refreshes in the background every 90 minutes, with a random offset of 0 to 30 minutes. If you want to refresh Group Policy sooner, you can go to a command prompt on the client computer and type: “gpupdate /force”.

20_manually_update_the_group_policy

If you’ve followed this article, you should see your servers or computers under the Unassigned Computers group.

22_verify_computer_account_in_wsus_console

In case, your computer account does not appears in WSUS console, you can run command “wuauclt /detectnow” and “wuauclt /reportnow” on client PCs.

That command will force client PC to contact the WSUS server immediately. 

21_wuauclt_detectnow

This completes the steps to configure the Group Policy Settings for WSUS in Windows Server 2019. I am sure this guide will help you to set up the WSUS.

Related Articles:

Post Views: 5,970