Configure WSUS to deploy updates using Group Policy
I created this step-by-step guide for those people that don’t understand or want to know how to configure WSUS to deploy updates using Group Policy. The process is very simple, but very efficient for a large and even a small network. To understand what I’m talking about, think of a network of 300 PCs, maybe that network is already in your company; you deployed a WSUS server but clients still go to Microsoft for updates, and you want to point them to your WSUS Server.Off course is an ugly job to do this manually for 300 clients, but this is where Group Policy comes in. All you have to do is make a some configuration settings in WSUS, create a new GPO (Group Policy Object), configure that GPO, and attach it to an OU (Organizational Unit) in AD. Easy haa…now let’s see how it’s done.
First let’s configure WSUS settings; open your WSUS console, go to Options and click Computers. This is where we tell WSUS how computers are added to groups. I’m going to talk about groups in a moment.
The default option is to add those computers manually, but we don’t want that, so choose the second option Use Group Policy or registry setting on computers. Click OK.
Now let’s talk about groups and create some. The main purpose of groups in WSUS are to organize computers. Think of this groups like OUs in AD. To create some groups right-click on All Computers an choose Add Computer Group. I’m going to create two groups here, one will be XP Computers, for all my Windows XP systems, and the second one is called 7 Computers, where all Windows 7 computers will reside.
We are done with WSUS for now. Now let’s go on the DC to create the update policy. Open Group Policy Management from Administrative Tools > Group Policy Management. Here we need to create two GPO, one for the Windows XP computers and another one for Windows 7 computers. Right click the OU where your Windows XP computers reside and choose Create a group policy in this domain, and link it here.
Give the GP a name and click OK. Now right-click this GP and choose Edit.
Expand Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update. As you can see we have a lot of options here to configure Windows updates, but I’m going to configure just some of them, the rest I’ll live it to you.
Open Configure Automatic Updates, select Enable and under Options choose the way updates are going to be installed on clients.
Open Specify intranet Microsoft update service location, select Enable, and under Options type the address of your WSUS server, in the form http://servername:port. Port is optional, and use it only if your WSUS site is installed on a different port (8530). Here you can put the NetBios name, FQDN or IP. In this case I’m going to use the NetBios name.
Open Enable client-side targeting, select Enable. You remember on WSUS those two groups that we created (XP Computers and 7 Computers), now is time to use one of them. In the Target group name for this computer type XP Computers, click OK, and close the Group Policy Management Editor.
We still need to configure updates for the Windows 7 systems, so create a new GPO on the Windows 7 OU. Follow the same steps like before until you reach Enable client-side targeting. In the box type 7 Computers, and click OK. Your GP Management console should look like this by now:
We are done configuring, it’s time to test. Restart the clients or force the policy on them in order to take effect; but if you are not in rush, just wait between 90-120 min for the policy to apply on clients. I forced the policy (since I have only two clients) using gpupdate /force command. Now if you take a look in WSUS, you should see your clients, already added in their computer groups.
Here is my Windows XP system
and here is my Windows 7 system
There are situation when clients don’t appear in WSUS after the policy is applied (especially on XP systems), and in most cases all you have to do is have patience.
Want content like this delivered right to your
39 thoughts on “Configure WSUS to deploy updates using Group Policy”
Thanks for the guide, I cannot get machines to appear in the console. This is an install in a new AD Site, so the GPOs have always existed. I’ve created the new groups and the modified the GPOs associated with the intranet server, and the client machines have the two registry keys pointing at the WSUS server.
However, nothing will appear in the console under any of the groups I created.
Make sure you configure the GPO for the Computers and not the Users and link it to the OU where your computers are situated. One other thing, I hope you did not cloned the computers. Even in virtual environments you will have to use sysprep for new deployments. There is a way by deleting a registry key in case of duplicate IDs from cloning.
Thanks for the valuable information through the content.
Can you please tell if the same process can be applied for adding machines in a WSUS server which is built on Windows 2012 or Windows 2016 ?
Thanks for passing by and to answer your question, Yes. You can apply the same configuration in the article for WSUS servers that are running on Windows 2012, 2016 or 2019. Hope this helps.
Great evening I ran across this article and the articles below because I’m currently trying to setup a WSUS “Centrally managed” environment of 7 servers (2012 R2) all in remote locations.
As referenced in this article and the one’s below I’m having a hard time figuring out how to get clients and downstream\replica’s servers to download updates that are approved via the master\upstream server.
Basically here’s what I want for the statistics:
Windows Update> Upstream Server> Downstream Server> Client
Here’s where I want the clients to get the updates from once approved:
Approved updated from internal server> Client installs directly from Windows update
If this can’t be done does anyone have any suggestions for setting up a WSUS enviroment uses the least amount of LAN bandwidth?
Deferring the download of updates
Choose a WSUS Management Style
Thanks ahead of time.
This is simple and all where you need to be careful is the linking of the GPO. Follow the articles on my blog how to set up a downstream WSUS server then come back to this one and configure the GPO.
do i need to create a gpo and redirect clients to the branch replica wsus server or it should be pointing towards the Main wsus server. and what if the branch clients are pointed towards the main wsus server then will they download the updates from the replica server created for saving bandwidth.
Clients need to be pointed to the WSUS in their site. If you direct clients to the upstream WSUS server (WSUS in the main site) then all clients will create traffic over your WAN link which is not a good design decision even if you have the internet bandwidth.
Is there any chance we can add computer objects through AD Group, eg: we can create a group in AD named “WSUS PC” and add all those computers in that group which we want to get updated through WSUS. Just wanted to know how the computers get added into the WSUS.
If you put your computers in a security group and apply the WSUS policy on an OU where this group resides, it is not going to work. Computers need to be present in that OU for the WSUS update policy to work.
Thanks for the reply. I have done that already (setting the “downstreamserver:port”) and the GPO is pushing fine as I have checked in the client.
still no computer in the computer groups 🙁
I have checked the IIS Manager: 2 sites
1. Default Website (not running)
2. WSUS Administration SIte (running)
Does the no.1 has something to do with it? Althoug I have tried starting it and cannot since it says used by another process.
Have you checked the update logs on a client ? Take a look there and see what happens, if the client is actually pointing to the downstream server.
The Default Website is not starting because the WSUS Administration Site is running using the same port (80). If you want to start the Default Website site you need to add a host name to it, so IIS can identify it.
I need your help badly. I setup a replica downstream server for a new location, it sync fine with the main wsus upstream(showed updates and computer groups) however, the pcs are not showing up in these groups but they are present in the upstream server. Another problem is how can i point the clients to get the update from the replica server? Should I input the servername:port in the “specify the Ms intranet srvice….” of the replica server or still the name of the upstream? Many thanks. -Nom
Modify your GPO and configure it to point clients to the downstream WSUS server and they will show up eventually and download updates. Just make sure those updates are approved on the upstream server. Let me know how it goes.
Hello. I have recently implemented WSUS 3.0 SP2 on Windows 2008 R2 server. My other servers having Win 2003 and Win 2008 are communicating with WSUS but my Windows 7 clients are not? any idea why I am getting this issue?
Did you configured the Windows 7 clients to point to the WSUS servers ? Just follow this article step-by-step and you make it work, if not let me know and I will try help you.
I found this very informative, thank you very much!
I did however have some questions, the first of which, at what point is there a differentiation of the version of the OS and would that be handled by the DC or the WSUS server?
Can you be more specific ? I don’t quite understand your question.
The WSUS will determine what updates get pushed to which systems based on OS.
WSUS does not choose. You choose what updates need to be downloaded and for what products, except when you configure WSUS to automatically approve updates. That way all updates for the products you configure are downloaded are made available to clients. One other thing is that WSUS does not push updates, they are pull by clients.
Stand corrected Pulled by clients.
Just for his post clarity, the DC has nothing to do with the updates (as long as the GP is set correctly), it’s all done via the WSUS.