Dec 26 2011

Configure WSUS to deploy updates using Group Policy

I created this step-by-step guide for those people that don’t understand or want to know how to configure WSUS to deploy updates using Group Policy. The process is very simple, but very efficient for a large and even a small network. To understand what I’m talking about, think of a network of 300 PCs, maybe that network is already in your company; you deployed a WSUS server but clients still go to Microsoft for updates, and you want to point them to your WSUS Server.Off course is an ugly job to do this manually for 300 clients, but this is where Group Policy comes in. All you have to do is make a some configuration settings in WSUS, create a new GPO (Group Policy Object), configure that GPO, and attach it to an OU (Organizational Unit) in AD. Easy haa…now let’s see how it’s done.

First let’s configure WSUS settings; open your WSUS console, go to Options and click Computers. This is where we tell WSUS how computers are added to groups. I’m going to talk about groups in a moment.

The default option is to add those computers manually, but we don’t want that, so choose the second option Use Group Policy or registry setting on computers. Click OK.

Now let’s talk about groups and create some. The main purpose of groups in WSUS are to organize computers. Think of this groups like OUs in AD. To create some groups right-click on All Computers an choose Add Computer Group. I’m going to create two groups here, one will be XP Computers, for all my Windows XP systems, and the second one is called 7 Computers, where all Windows 7 computers will reside.

We are done with WSUS for now. Now let’s go on the DC to create the update policy. Open Group Policy Management from Administrative Tools > Group Policy Management. Here we need to create two GPO, one for the Windows XP computers and another one for Windows 7 computers. Right click the OU where your Windows XP computers reside and choose Create a group policy in this domain, and link it here.

Give the GP a name and click OK. Now right-click this GP and choose Edit.

Expand Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update. As you can see we have a lot of options here to configure Windows updates, but I’m going to configure just some of them, the rest I’ll live it to you.

Open Configure Automatic Updates, select Enable and under Options choose the way updates are going to be installed on clients.

Open Specify intranet Microsoft update service location, select Enable, and under Options type the address of your WSUS server, in the form http://servername:port. Port is optional, and use it only if your WSUS site is installed on a different port (8530). Here you can put the NetBios name, FQDN or IP. In this case I’m going to use the NetBios name.

Open Enable client-side targeting, select Enable. You remember on WSUS those two groups that we created (XP Computers and 7 Computers), now is time to use one of them. In the Target group name for this computer type XP Computers, click OK, and close the Group Policy Management Editor.

We still need to configure updates for the Windows 7 systems, so create a new GPO on the Windows 7 OU. Follow the same steps like before until you reach Enable client-side targeting. In the box type 7 Computers, and click OK. Your GP Management console should look like this by now:

We are done configuring, it’s time to test. Restart the clients or force the policy on them in order to take effect; but if you are not in rush, just wait between 90-120 min for the policy to apply on clients. I forced the policy (since I have only two clients) using gpupdate /force command. Now if you take a look in WSUS, you should see your clients, already added in their computer groups.

Here is my Windows XP system

and here is my Windows 7 system

There are situation when clients don’t appear in WSUS after the policy is applied (especially on XP systems), and in most cases all you have to do is have patience.



Skip to comment form

  1. JtH

    patients? or patience? Good blog man, thanks!

    1. Adrian Costea

      Thanks the for correction, and welcome to my blog.

  2. Andrei

    Very good post Adrian. Just tried it at home, works like a charm :) I used a SQL Server 2008 R2 Express for WSUS though. Anyway, keep up the good work :)

  3. Hamid

    Thanks for your document, I have a Question
    I have installed a DC in windows 2003 and I installed WSUS 3 SP2 on a virtual PC on win2008
    I need config network clients to take updates from the virtual pc that runing wsus,
    how can I do that , and can I deploy this configuration to clients from DC?


    1. Adrian Costea

      You need to follow the steps in this article and when you create the GPO for your domain clients, on the policy Specify intranet Microsoft update service location type the IP (I prefer the FQDN) of your WSUS server; the one you installed on the Virtual PC.
      Thanks for passing by…

  4. Billy Brown

    Thanks for the information Adrian. It allowed me to switch from manual patching to scheduled patching at work.

    1. Adrian Costea

      Yes, WSUS is a great product and perfect for small business. I’m glad it worked out for you.

  5. mark

    For Windows 2012 specify intranet update service location: http://mywsusserver:8530, if you’re using cloned machines you have to change the sus id:

    net stop wuauserv
    REG DELETE “HKLMSOFTWAREMicrosoftWindowsCurrentVersionWindowsUpdate” /v SusClientId /f
    net start wuauserv
    wuauclt /resetauthorization /detectnow

    1. Adrian Costea

      Yes you are right, you can use that command if you encounter problems. I am using cloned machines on a day-to-day basis, but never had any problems in WSUS. Off course they are syspreped.
      Thanks for the add-on, much appreciated.

    2. Scott D.

      Mark, thank you so much for this GEM of a piece of info. I have been battling this for a couple of days off and on and finally came across your comment. I’m now detecting computers in my 2012 environment. Kudos!

  6. Robert

    Hi, in step where you go to Group Policy Management you have vKernel Computers -> Windows XP, Windows 7. I dont have that folders. I dont have any computer list there at all. What should i do?

    1. Adrian Costea


      vKernel Computers folder was manually created in WSUS; those need to be create manually, but name them after your will. If you configure the GPO’s correctly (follow the post) you computers will appear in the specified folder(s) in WSUS, just like in the article.

  7. Joe

    So once you create the groups in WSUS, the GP will automatically move the computers there from the Unassigned group?

    1. Adrian Costea

      Yes, if you configure the GPO’s and the WSUS server correctly. User some virtualization platform (Virtual Box, VMware Workstation) and do some labs. After a few of those you will handle WSUS.

  8. Andrei


  9. ViNNIE

    GPO was unable to push the policy to the clients in my case. I tried creating groups, adding the computer to the groups, creating OU’s etc etc..

    Only way I could get it to work was to specifically assign the “WSUS Update for 7 Computers” and add the computer name in the Security filtering.

    Any idea why?

    1. Adrian Costea

      In a Microsoft Active Directory environment policies are not push. It’s a pull technology; clients requests new GPO updates from the DC. In your case, you either did not configured correctly the GPOs or the WSUS server. Create the lab again (your are working in a lab environment right ?) and test a few times more, and soon you will master it. Make sure the AD environment is working great. Let me know how it goes. Cheers…

  10. mark

    @vinnie did you create the starter gpo folder in gpmc? there are 2 gpos inside like “gpo reporting firewall udpate” and “gp remote update fw ports”, attach those to your domain. if this doesn’t work out, trace the gpo and look why it has not been applied to the clients.

  11. Garrett

    I found this very informative, thank you very much!

    I did however have some questions, the first of which, at what point is there a differentiation of the version of the OS and would that be handled by the DC or the WSUS server?


    1. Adrian Costea

      Can you be more specific ? I don’t quite understand your question.

    2. Joe

      The WSUS will determine what updates get pushed to which systems based on OS.

      1. Adrian Costea

        WSUS does not choose. You choose what updates need to be downloaded and for what products, except when you configure WSUS to automatically approve updates. That way all updates for the products you configure are downloaded are made available to clients. One other thing is that WSUS does not push updates, they are pull by clients.

        1. Joe

          Stand corrected Pulled by clients.

          Just for his post clarity, the DC has nothing to do with the updates (as long as the GP is set correctly), it’s all done via the WSUS.

  12. Sharjeel

    Hello. I have recently implemented WSUS 3.0 SP2 on Windows 2008 R2 server. My other servers having Win 2003 and Win 2008 are communicating with WSUS but my Windows 7 clients are not? any idea why I am getting this issue?

    1. Adrian Costea

      Did you configured the Windows 7 clients to point to the WSUS servers ? Just follow this article step-by-step and you make it work, if not let me know and I will try help you.

  13. nom

    Hi Andrian,

    I need your help badly. I setup a replica downstream server for a new location, it sync fine with the main wsus upstream(showed updates and computer groups) however, the pcs are not showing up in these groups but they are present in the upstream server. Another problem is how can i point the clients to get the update from the replica server? Should I input the servername:port in the “specify the Ms intranet srvice….” of the replica server or still the name of the upstream? Many thanks. -Nom

    1. Adrian Costea

      Modify your GPO and configure it to point clients to the downstream WSUS server and they will show up eventually and download updates. Just make sure those updates are approved on the upstream server. Let me know how it goes.

  14. Nome

    Thanks for the reply. I have done that already (setting the “downstreamserver:port”) and the GPO is pushing fine as I have checked in the client.

    still no computer in the computer groups :(

    I have checked the IIS Manager: 2 sites

    1. Default Website (not running)
    2. WSUS Administration SIte (running)

    Does the no.1 has something to do with it? Althoug I have tried starting it and cannot since it says used by another process.

    1. Adrian Costea

      Have you checked the update logs on a client ? Take a look there and see what happens, if the client is actually pointing to the downstream server.
      The Default Website is not starting because the WSUS Administration Site is running using the same port (80). If you want to start the Default Website site you need to add a host name to it, so IIS can identify it.

Leave a Reply

Your email address will not be published. Required fields are marked *

css.php /** Cod Facebook */