Windows Update Services (WSUS) is a fantastic tool for managing Windows security updates. It allows you to see which computers require updates, generate reports based on this information and roll out updates from a single point saving bandwidth of your WAN line.
In a Windows Active Directory environment the best way to get the clients to connect to the WSUS is through group policies. It is suggested that workstations and servers use different settings.
If you do not have an appropriate group policy to include these settings you will need to create a new one.
Please note, you will need client side targeting to be enabled on the WSUS server:
- In WSUS 3.0 go to Options in the left pane, then Computers, and select “Use Group Policy or registry settings on computers”.
- In WSUS 2.0 go to Options / Computers, change to the other option: “Use Group Policy or registry settings on computers” to specify how to assign computers to groups
Workstations
Open the Group Policy Object which will contain the WSUS settings.
- Navigate to Computer Configuration/Administrative Templates/Windows Components/Windows Update
- Set ‘Enable client-side targeting’ to enabled
- Specify the name for the target group name, e.g. “SOE Workstations”
- Under “Configure Automatic Updates”, use Automatic Updating level 4 (“Auto download and schedule the install”)
- Set ‘Specify intranet Microsoft update service location’ to enabled. And specify the http address for your WSUS instatllion (e.g. http://wsusserver)
Servers
To ensure the servers won’t restart after obtaining an approved WSUS update we need to configure the Group Policy Object in a slightly different way.
- Navigate to Computer Configuration/Administrative Templates/Windows Components/Windows Update
- Set ‘Enable client-side targeting’ to enabled
- Specify the name for the target group name, e.g. “Production Servers”
- Under “Configure Automatic Updates”, use Automatic Updating level 3 (“Auto download and notify for install”)
- Set ‘Specify intranet Microsoft update service location’ to enabled. And specify the http address for your WSUS instatllion (e.g. http://wsusserver)
- Set ‘Allow Automatic Updates immediate installation’ to Disabled
- Set ‘Reschedule Automatic Updates scheduled installations’ to Disabled
- Set ‘No auto-restart for scheduled Automatic Updates installations’ to Enabled
After the computer gets the new group policy it will take up to 10 minutes to appear on the WSUS server. They will appear under their own group as specified in step 3.
After an update is approved for the workstation group the computer will restart automatically if there are no users logged onto the computer, if there is a user logged onto the computer they will be nagged before an eventual compulsory restart. If the user has local administration rights on the computer they can postpone the install or the restart. It is suggested to approve updates outside of core business hours and ask clients to leave their computers on and ‘at the log on prompt’ to minimise interruptions.
After an update is approved for the server group the computer will not install the update or restart automatically. This method requires an administrator to log onto each server and manually start the installation and restart the server. Whilst this might seem like a lot of work it is suggested as it ensures servers won’t automatically restart in core hours and if an update fails an administrator will be aware or it immediately. This method also allows for the updates to be approved, distributed and reported on via WSUS.