Configure Group Policy to deploy updates using WSUS 2016
One of the first steps you will need to take during the initial configuration of a WSUS Server is to establish communication between WSUS Server and clients. As clients (endpoints) we assume that they can be either Windows clients or Windows Servers.
The most fundamental task is to direct each client to communicate with WSUS Server to check for new updates instead of using Microsoft Update over the Internet. Next, we will go through the individual settings for scheduling updates, configuring alerts, etc.
In general, these settings can be made through Group Policy, Local Policy, or Registry. However, as we refer to an Active Directory infrastructure, we will focus on WSUS policy settings through Group Policy.
In most cases, it is suggested to create a new Group Policy Object that will only apply to WSUS settings. You may use additional policies, such as when assigning clients to different computer groups.
The WSUS settings in the Group Policy Editor are located at:
Computer Configuration / Policies / Administrative Templates / Windows Components / Windows Update
As shown in the picture, there are several policies. Of course, you do not have to enable all of them. In the following steps, we will only focus on the necessary policies you will need in order to establish communication between WSUS Server and clients as well as schedule update installation.
Beyond that, take some time to comprehend the other policies and enable what you think is important for your infrastructure.
The most important policies for WSUS to work properly are:
- Configure Automatic Updates
- Specify intranet Microsoft update service location
Configure Automatic Updates
A necessary policy that enables the use of Automatic Updates on the client to install updates.
After you turn the switch to Enabled, select one of the four options depending on how much ‘freedom’ you will give the end user to install the updates.
Specify intranet Microsoft update service location
Another necessary policy in which you declare WSUS Server to be detected by clients. After you set the switch to Enabled, type the WSUS Server address in the two fields like http://servername.local:8530 as shown in the figure below.
Note: If the Configure Automatic Updates policy is disabled, then this policy is not applicable.
These are the two most important policies for WSUS Server. If you encounter a problem when setting it up initially, then take a look at these policies first.
Finally, do not forget to apply the policy to the OUs of the Active Directory infrastructure.
From now on, in the next few hours, customers will begin to appear in the computer groups of the WSUS administration console. As long as you have synchronized and approved the updates, it will begin installing the updates according to the policies you implemented through the Group Policy.