Configure WSUS to deploy updates using Group Policy

Sharing is caring!

I created this step-by-step guide for those people that don’t understand or want to know how to configure WSUS to deploy updates using Group Policy. The process is very simple, but very efficient for a large and even a small network. To understand what I’m talking about, think of a network of 300 PCs, maybe that network is already in your company; you deployed a WSUS server but clients still go to Microsoft for updates, and you want to point them to your WSUS Server.Off course is an ugly job to do this manually for 300 clients, but this is where Group Policy comes in. All you have to do is make a some configuration settings in WSUS, create a new GPO (Group Policy Object), configure that GPO, and attach it to an OU (Organizational Unit) in AD. Easy haa…now let’s see how it’s done.

First let’s configure WSUS settings; open your WSUS console, go to Options and click Computers. This is where we tell WSUS how computers are added to groups. I’m going to talk about groups in a moment.

The default option is to add those computers manually, but we don’t want that, so choose the second option Use Group Policy or registry setting on computers. Click OK.

Now let’s talk about groups and create some. The main purpose of groups in WSUS are to organize computers. Think of this groups like OUs in AD. To create some groups right-click on All Computers an choose Add Computer Group. I’m going to create three groups here, one will be staff Computers, for all my Windows 7 systems, and the second one is called Student Computers, Third will call Servers.

We are done with WSUS for now. Now let’s go on the DC to create the update policy. Open Group Policy Management from Administrative Tools > Group Policy Management. Here we need to create three GPO, one for the staff computers, student computer and servers. Right click the OU where your staff computers reside and choose create a group policy in this domain, and link it here.

Expand Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update. As you can see we have a lot of options here to configure Windows updates, but I’m going to configure just some of them, the rest I’ll live it to you.

Open Configure Automatic Updates, select Enable and under Options choose the way updates are going to be installed on clients

Open Specify intranet Microsoft update service location, select Enable, and under Options type the address of your WSUS server, in the form http://servername:port. Port is optional, and use it only if your WSUS site is installed on a different port (8530). Here you can put the NetBios name, FQDN or IP. In this case I’m going to use the NetBios name.

Open Enable client-side targeting, select Enable. You remember on WSUS those three groups that we created (staff, student Computers and servers), now is time to use one of them. In the Target group name for this computer type Staff, click OK, and close the Group Policy Management Editor.

We are done configuring, it’s time to test. Restart the clients or force the policy on them in order to take effect; but if you are not in rush, just wait between 90-120 min for the policy to apply on clients.

You can forced the policy using gpupdate /force command. Now if you take a look in WSUS, you should see your clients, already added in their computer groups.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.