In the last four articles, we discussed WSUS fundamentals, how to install WSUS on your Windows Server 2022, how to perform an initial configuration, and how to create computer groups. Even when things are configured on WSUS, clients will not be able to download updates. The reason? They don’t know that WSUS is installed and how to find it.

Table of Contents

  1. Step 1: Create group policy (GPO)
  2. Step 2: Configure group policy
  3. How can you verify which targets the clients are using?

In this article, I will show you how to inform clients that the WSUS server is installed, how to locate it, and when to download and install updates. To achieve this, we will create group policies on the Domain Controller.

Protect Your Data with BDRSuite

Cost-Effective Backup Solution for VMs, Servers, Endpoints, Cloud VMs & SaaS applications. Supports On-Premise, Remote, Hybrid and Cloud Backup, including Disaster Recovery, Ransomware Defense & more!

We will break it down into two steps. In the first step, we will create a GPO, and in the second step, we will configure and deploy it to your WSUS clients.

Step 1: Create group policy (GPO)

In the first step, we will create a new group policy dedicated to WSUS and configure it to ensure that your target machines know where to look for updates.

Download Banner
  1. Log in to your Domain Controller
  2. Open Server Manager, navigate to Tools and then select Group Policy Management.
  3. Expand your domain
  4. In a previous article, we created a new group policy for client-side targeting. If you followed that procedure, you can continue from Step 2: Configure group policy. If you haven’t done so, please read on. Right-click on the domain, then select Create a GPO in this domain, and link it here.”

    5. WSUS clients

    Create a GPO in this domain, and Link it here…

  5. Type the name of the GPO and click OK. In my case it is WSUS.

WSUS clients

Enter the name for a new GPO

Step 2: Configure group policy

In the second step, we will configure two group policies. One is for informing clients about where to download updates, and the second is about when to automatically download and install them.

  1. Right click on the GPO you created and then click Edit

    2. WSUS clients

    Edit your GPO

  2. Expand Computer Configuration > Policies > Administrative Templates > Policy > Windows Components > Windows Updates.

    3. WSUS clients

    Navigate to Windows Update

  3. Navigate to policy Specify intranet Microsoft update service location

    4. WSUS clients

    Specify intranet Microsoft update service location

  4. Right click on it and then click Edit.
  5. Select Enable, and then under Set the Intranet update service for detecting updates and Set the intranet statistics server, input the FQDN of your WSUS server. In my case, it is wsus.techwithjasmin.com

    6. WSUS clients

    Configure intranet update service

  6. Click Apply and then OK
  7. Navigate to Configure Automatic Updates to configure how and when Windows will download updates

    8. WSUS clients

    Navigate to Configure Automatic Updates

  8. Right click on it and then click Edit.
  9. Select Enable, and then under Configure automatic updating, choose option 4 – Auto download and schedule the install. Additionally, under Scheduled install day, select when you want to install updates. In my case, Windows will automatically download updates and install them every Saturday at 4 AM UTC

    10. WSUS clients

    Configure automatic updating

  10. Click Apply and then Ok

You have successfully configured two group policies to ensure the proper distribution, downloading, and installation of updates on clients. These changes will take effect on WSUS clients after the next sign-out/sign-in or reboot.
To force the update, you can go to the client machine and enter ‘gpupdate /force’ in the Command Prompt or PowerShell.

WSUS clients

gpupdate /force

How can you verify which targets the clients are using?

After publishing the group policies within your domain or organizational group, WSUS clients will apply the changes as needed. To confirm whether Windows clients have successfully applied the modifications and are now updating from the WSUS server instead of Microsoft, you should open the Registry on one of your clients and verify if the changes have taken effect.

  1. Open Registry Editor
  2. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
  3. Locate the two registry keys: ‘WUServer’ and ‘WUStatusServer’. Both of these keys should indicate from where your clients are downloading updates

WSUS clients

WUServer and WUServer Status

That’s all for today. In the next article, we will explore how to configure auto-approval rules in WSUS.

Read More:

WSUS : Get Started with Windows Server Update Services (WSUS) – Part 1
WSUS : Windows Server Update Services (WSUS) installation on Windows Server 2022 – Part 2
WSUS: Post-deployment WSUS configuration – Part 3
WSUS: Create Computer groups in WSUS – Part 4

Follow our Twitter and Facebook feeds for new releases, updates, insightful posts and more.

Rate this post