There are situations when client computers are not part of a Windows domain, but you still have to patch those systems using WSUS. Now I bet you ask yourself how those clients get configured if no Active Directory environment is present. I will answer your question in this guide.
For this lab I prepared a WSUS server running on a Windows Server 2008 R2, and two clients, one is a Windows XP machine and the other one is a Windows 7 machine. I suppose you already have your WSUS installed, if not read this post on how to install it. That specific post is about installing WSUS on a server that is part of a domain, but the same methods applies if you are installing WSUS on a server that is part of a workgroup. Now that our WSUS server is working, we need to take care of the clients, and there are two ways: editing the registry, or configure the local group policies. I’ll show you both in just a moment.
To begin go to the Windows XP client and click Start > Run. Here type gpedit.msc and hit ENTER.
In the Group Policy Management Editor expand Computer Configuration > Administrative Templates > Windows Components > Windows Update. As you can see in the Windows Update folder we have a bunch of GPO for the Windows Update configuration.
This part is very simple, just configure the policies to point this client to the WSUS server, and set the update check interval, as a minimal configuration.
After you’re done with the GPO force the policies to apply by issuing the gpupdate /force command. Now open Automatic Updates from the client Control Panel, and take a look at the changes. As you can see everything is grayed out and configured accordingly to your policy settings.
Force the client to check for updates by issuing the wuauclt /detectnow command. After a few moments the Windows XP machine should appear in the created computer group on the WSUS server. Do the same steps for the Windows 7 machine, but don’t forget to change the Enable client-side targeting policy, or your Windows 7 client will appear in the Windows XP computer group on the WSUS server. This applies only if you created and configured computer groups.
Now that we configured these two clients to get their updates from the WSUS server what about the rest of them ? Is a lot of work to go and configure the local group policies for every client. The solution is editing the registry using a script. Go to any one of these two clients and open the registry editor using Start > Run type regedit then hit OK. Expand HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate. Here you can see all the settings we configured previous using the local group policy editor.
Click the Windows Update folder and from the File menu, choose Export and save the file on you local or network drive.
Now, all you have to do is go to every client in your network and double-click this registry file to import the settings.
Want content like this delivered right to your