skip navigation
University of Illinois | Home | Help Desk | Status | CIO | Site Map |
CITES logo
skip navigation

Configuring WSUS on Client Computers

CITES > WSUS > client install

 

Introduction

This document will help identify the steps involved in using Group Policy Objects to distribute Windows Server Update Services (WSUS) configuration settings to client computers.  The steps are similar whether configuring on a per-client basis (gpedit.msc) or configuring a group of computers via Active Directory (gpmc.msc)

When you configure the Group Policy settings for WSUS, use a Group Policy Object (GPO) linked to an Active Directory container appropriate for your environment. Microsoft does not recommend editing the Default Domain or Default Domain Controller GPOs to add WSUS settings.

In a simple environment, link the GPO with the WSUS settings to the domain. In a more complex environment, you might have multiple GPOs linked to several organizational units (OUs), which would enable you to have different WSUS policy settings applied to different types of computers.

After you set up a client computer, it may take a few minutes before it appears on the Computers page in the WSUS console. For client computers configured with an Active Directory-based GPO, it can take about 20 minutes after Group Policy refreshes (that is, applies any new settings to the client computer). By default, Group Policy refreshes in the background every 90 minutes, with a random offset of 0 to 30 minutes. If you want to refresh Group Policy sooner, you can go to a command prompt on the client computer and type: gpupdate /force.

Note:  On client computers running Windows 2000, you can type the following at a command prompt: secedit /refreshpolicy machine_policy /enforce

Note:  In Windows 2000, Group Policy Object Editor is known as Group Policy Editor. Although the name changed, it is the same tool for editing Group Policy objects. It is also commonly referred to as gpedit.

Group Policy options

The following is a list of the Group Policy options available for configuring WSUS-related items in the environment.

Load the WSUS Administrative Template

Before you can set any Group Policy options for WSUS, you must ensure that the latest administrative template has been loaded on the computer used to administer Group Policy. The administrative template with WSUS settings is named wuau.adm. Although there are additional Group Policy settings related to the Windows Update Web site, all the new Group Policy settings for WSUS are contained within the wuau.adm file. You can download the wuau.adm template. (You will be prompted to log in to the CITES Security Wiki in order to download the latest version available.)

If the computer you are using to configure Group Policy has the latest version of wuau.adm, you do not need to load the file to configure settings. The new version of wuau.adm is available on Windows XP with Service Pack 2. Administrative templates files are stored by default in the %windir%\Inf directory.

Important:  Any computer that has already had Automatic Updates installed through WSUS will have the correct version of wuau.adm. You can use the old version of wuau.adm to initially point Automatic Updates to the WSUS server in order to self-update. After the Automatic Update self-updates, the new wuau.adm file appears in the %windir%\Inf folder.

If the computer you are using to configure Group Policy does not have the latest version of wuau.adm installed, you must first load it by using the following procedure.

To add the WSUS Administrative Template

Download the latest wuau.adm template.

1. In Group Policy Object Editor, click either of the Administrative Templates nodes.
2. On the Action menu, click Add/Remove Templates.
3. Click Add.
4. In the Policy Templates dialog box, select wuau.adm, and then click Open.
5. In the Add/Remove Templates dialog box, click Close.

Configure Automatic Updates

The settings for this policy enable you to configure how Automatic Updates works. You must specify that Automatic Updates should download updates from the WSUS server rather than from Windows Update.

To configure the behavior of Automatic Updates

1. In Group Policy Object Editor, expand Computer Configuration, expand Administrative Templates, expand Windows Components, and then click Windows Update.

2. In the details pane, click Configure Automatic Updates.

3. Click Enabled and select one of the following options:

    • Notify for download and notify for install. This option notifies a logged-on administrative user prior to the download and prior to the installation of the updates.

    • Auto download and notify for install. This option automatically begins downloading updates and then notifies a logged-on administrative user prior to installing the updates.

    • Auto download and schedule the install. If Automatic Updates is configured to perform a scheduled installation, you must also set the day and time for the recurring scheduled installation.

    • Allow local admin to choose setting. With this option, the local administrators are allowed to use Automatic Updates in Control Panel to select a configuration option of their choice. For example, they can choose their own scheduled installation time. Local administrators are not allowed to disable Automatic Updates.

4. Click OK.

Specify Intranet Microsoft Update Service Location

The settings for this policy enable you to configure a WSUS server that Automatic Updates will contact for updates. You must enable this policy in order for Automatic Updates to download updates from the WSUS server.

Enter the WSUS server HTTP(S) URL twice, so that the server specified for updates is also used for reporting client events. For example, type https://wsus.cites.uiuc.edu (or your secondary WSUS server) in both boxes. Both URLs are required. 

To redirect Automatic Updates to a WSUS server

1. In Group Policy Object Editor, expand Computer Configuration, expand Administrative Templates, expand Windows Components, and then click Windows Update.

2. In the details pane, click Specify Intranet Microsoft update service location. Type https://wsus.cites.uiuc.edu (or your secondary WSUS server).

3. Click Enabled and type the HTTP(S) URL of the same WSUS server in both the Set the intranet update service for detecting updates box and in the Set the intranet statistics server box. For example, type https://wsus.cites.uiuc.edu (or your secondary WSUS server) in both boxes.

4. Click OK.

Enable Client-side Targeting

This policy enables client computers to self-populate computer groups that exist on the WSUS server.

If the status is set to Enabled, the specified computer group information is sent to WSUS, which uses it to determine which updates should be deployed to this computer. This setting is only capable of indicating to the WSUS server which group the client computer should use. You must actually create the group on the WSUS server.

If the status is set to Disabled or Not Configured, no computer group information will be sent to WSUS, and the computer will be placed in the 'Unassigned Computers' category described below.

To enable client-side targeting

1. In Group Policy Object Editor, expand Computer Configuration, expand Administrative Templates, expand Windows Components, and then click Windows Update.

2. In the details pane, click Enable client-side targeting.

3. Click Enabled and enter the name of a computer group in the box. (Valid group names are bolded below.)

  • All Computers: This group is a Microsoft WSUS generic and default group.  CITES will configure all critical updates and security updates to be automatically approved and installed on ALL systems connecting to the CITES WSUS server.
  • Unassigned Computers: This group is another default group for systems that connect to the WSUS server and do not use one of the italicized client-side targeting groups listed below.  By default, the computers in this group will receive all critical updates and security updates.
  • Application Service Packs: This group will receive all of the critical updates and security updates in addition to service packs for applications.
  • OS Service Packs: This group will receive all of the critical updates and security updates in addition to service packs for the Operating System.  Additionally, this group will receive updates for Internet Explorer as well as the .NET framework due to their thorough integration into the operating system on many computers.
  • All Service Packs: This group will receive all of the critical updates and security updates in addition to the updates from the Application Service Packs and the OS Service Packs groups.

    Note: It is important to enter the target group name accurately.  If the group name does not exist, the machine(s) will be placed into the 'Unassigned Computers' group.

4. Click OK.

Reschedule Automatic Update Scheduled Installations

This policy specifies the amount of time for Automatic Updates to wait, following system startup, before proceeding with a scheduled installation that was missed previously.

If the status is set to Enabled, a scheduled installation that did not take place earlier will occur the specified number of minutes after the computer is next started.

If the status is set to Disabled, a missed scheduled installation will occur with the next scheduled installation.

If the status is set to Not Configured, a missed scheduled installation will occur one minute after the computer is next started.

This policy applies only when Automatic Updates is configured to perform scheduled installations of updates. If the Configure Automatic Updates policy is disabled, this policy has no effect.

To reschedule Automatic Update scheduled installation

1. In Group Policy Object Editor, expand Computer Configuration, expand Administrative Templates, expand Windows Components, and then click Windows Update.

2. In the details pane, click Reschedule Automatic Update scheduled installations, click Enable, and enter a value in minutes.

3. Click OK.

No Auto-restart for Scheduled Automatic Update Installation Options

This policy specifies that to complete a scheduled installation, Automatic Updates will wait for the computer to be restarted by any user who is logged on, instead of causing the computer to restart automatically.

If the status is set to Enabled, Automatic Updates will not restart a computer automatically during a scheduled installation if a user is logged on to the computer. Instead, Automatic Updates will notify the user to restart the computer in order to complete the installation.

Be aware that Automatic Updates will not be able to detect future updates until the restart occurs.  Additionally, some updates (like that for the MS05-039 Plug-n-Play vulnerability) require a reboot before the patch installation can complete. Some machines on campus that had the patch delivered were still vulnerable because they had not rebooted.

If the status is set to Disabled or Not Configured, Automatic Updates will notify the user that the computer will automatically restart in 5 minutes to complete the installation.

This policy applies only when Automatic Updates is configured to perform scheduled installations of updates. If the Configure Automatic Updates policy is disabled, this policy has no effect.

To inhibit auto-restart for scheduled Automatic Update installation options

1. In Group Policy Object Editor, expand Computer Configuration, expand Administrative Templates, expand Windows Components, and then click Windows Update.

2. In the details pane, double click No auto-restart for scheduled Automatic Update installations options, and set the option.

3. Click OK.

Automatic Update Detection Frequency

This policy specifies the hours that Windows will use to determine how long to wait before checking for available updates. The exact wait time is determined by using the hours specified here, minus 0 to 20 percent of the hours specified. For example, if this policy is used to specify a 20-hour detection frequency, then all WSUS clients to which this policy is applied will check for updates anywhere between 16 and 20 hours.

If the status is set to Enabled, Automatic Updates will check for available updates at the specified interval.

If the status is set to Disabled or Not Configured, Automatic Updates will check for available updates at the default interval of 22 hours.

To set Automatic Update detection frequency

1. In Group Policy Object Editor, expand Computer Configuration, expand Administrative Templates, expand Windows Components, and then click Windows Update.

2. In the details pane, click Automatic Update detection frequency, and set the option.

3. Click OK.

Allow Automatic Update Immediate Installation

This policy specifies whether Automatic Updates should automatically install certain updates that neither interrupt Windows services nor restart Windows.

If the status is set to Enabled, Automatic Updates will immediately install these updates after they have been downloaded and are ready to install.

If the status is set to Disabled, such updates will not be installed immediately.

To allow Automatic Update immediate installation

1. In Group Policy Object Editor, expand Computer Configuration, expand Administrative Templates, expand Windows Components, and then click Windows Update.

2. In the details pane, click Allow Automatic Update immediate installation, and set the option.

3. Click OK.

Delay Restart for Scheduled Installations

This policy specifies the amount of time for Automatic Updates to wait before proceeding with a scheduled restart.

If the status is set to Enabled, a scheduled restart will occur the specified number of minutes after the installation is finished.

If the status is set to Disabled or Not Configured, the default wait time is five minutes.

To delay restarts for scheduled installations

1. In Group Policy Object Editor, expand Computer Configuration, expand Administrative Templates, expand Windows Components, and then click Windows Update.

2. In the details pane, click Delay restart for scheduled installations, and set the option.

3. Click OK.

Re-prompt for Restart with Scheduled Installations

This policy specifies the amount of time for Automatic Updates to wait before prompting the user again for a scheduled restart.

If the status is set to Enabled, a scheduled restart will occur the specified number of minutes after the previous prompt for restart was postponed.

If the status is set to Disabled or Not Configured, the default interval is 10 minutes.

To re-prompt for restart with scheduled installations

1. In Group Policy Object Editor, expand Computer Configuration, expand Administrative Templates, expand Windows Components, and then click Windows Update.

2. In the details pane, click Re-prompt for restart with scheduled installations, and set the option.

3. Click OK.

Allow Non-administrators to Receive Update Notifications

This policy specifies whether logged-on non-administrative users will receive update notifications based on the configuration settings for Automatic Updates. If Automatic Updates is configured, by policy or locally, to notify the user either before downloading or only before installation, these notifications will be offered to any non-administrator who logs onto the computer.

If the status is set to Enabled, Automatic Updates will include non-administrators when determining which logged-on user should receive notification.

If the status is set to Disabled or Not Configured, Automatic Updates will notify only logged-on administrators.

To allow non-administrators to receive update notifications

1. In Group Policy Object Editor, expand Computer Configuration, expand Administrative Templates, expand Windows Components, and then click Windows Update.

2. In the details pane, click Allow non-administrators to receive update notifications, and set the option.

3. Click OK.

Note: This policy setting does not allow non-administrative Terminal Services users to restart the remote computer where they are logged in. This is because, by default, non-administrative Terminal Services users do not have computer restart privileges.

Remove Links and Access to Windows Update

If this setting is enabled, Automatic Updates receives updates from the WSUS server. Users who have this policy set cannot get updates from a Windows Update Web site that you have not approved. If this policy is not enabled, the Windows Update icon remains on the Start menu for local administrators to visit the Windows Update Web site. Local administrative users can use it to install unapproved software from the public Windows Update Web site. This happens even if you have specified that Automatic Updates must get approved updates from your WSUS server.

To remove links and access to Windows Update

1. In Group Policy Object Editor, expand User Configuration, expand Administrative Templates, and then click Start Menu and Taskbar.

2. In the details pane, click Remove links and access to Windows Update, and set the option.

3. Click OK.

More information

For more information, see Microsoft's documentation at:

http://www.microsoft.com/windowsserversystem/updateservices/downloads/WSUS.mspx

 

 

  Services by Category   Services by Audience
* Calendaring * New to Campus?
* Classroom Technologies * Students
* Computer Facilities * Faculty & Staff
* Computing Accounts * Instructors
* Educational Technologies * Techsupport Providers
* Email  
* Networking & Remote Access   Other Help
* Passwords * Training
* Security * Computing & Networking 101
* Services For Departments * Contacts
* Software * Glossary
* Telecommunications    
* Complete List of Services    

 

CITES welcomes comments about our services and comments about our web site.
Return to the top of this page.
Last modified August 18, 2006 .