Configuring WSUS on Client Computers

After you set up a client computer, it may take a few minutes before it appears on the Computers page in the WSUS console (this console is available to admins running their own WSUS server, but not for admins who point their clients at the CITES WSUS server). For client computers configured with an Active Directory-based GPO, it can take about 20 minutes after Group Policy refreshes (that is, applies any new settings to the client computer). By default, Group Policy refreshes in the background every 90 minutes, with a random offset of 0 to 30 minutes. If you want to refresh Group Policy sooner, you can go to a command prompt on the client computer and type in a console with Administrative permissions: gpupdate /force.

NOTE: If you are running your own domain, when you configure the Group Policy settings in Active Directory for WSUS, use a Group Policy Object (GPO) linked to an Active Directory container appropriate for your environment. Microsoft does not recommend editing the Default Domain or Default Domain Controller GPOs to add WSUS settings.

Using the TECHNOLOGY SERVICES Security-provided GPOs

TECHNOLOGY SERVICES Security maintains a relatively extensive list of GPOs that you can use on your OUs in order to simplify the process of using the TECHNOLOGY SERVICES WSUS server.

To link one of these policies and install the products on the machines in an OU that you control:

  1. Open the Group Policy Management Console
  2. Right click on the OU you wish to link this GPO to
  3. Click Link Existing GPO
  4. Search for the desired GPOs listed below.

The current GPOs provided by CITES Security are (in both the UIUC and UOFI domains):
DEPT_UseCITESWSUSServer_3AMUpdate_Security
DEPT_UseCITESWSUSServer_9AMUpdate_Security
DEPT_UseCITESWSUSServer_5PMUpdate_Security

DEPT_SetWSUSGroup-Upgrades_Security
DEPT_SetWSUSGroup-AllServicePacks_Security
DEPT_SetWSUSGroup-AllUpdates_Security
DEPT_SetWSUSGroup-AppServicePacks_Security
DEPT_SetWSUSGroup-Baseline_Security
DEPT_SetWSUSGroup-OSServicePacks_Security

Client-Side Targeting Groups (or "Selecting which updates your machines will receive")


The following update groups are configured on the CITES WSUS server. Bold names are ones that you may set yourself (the others are default groups that you do not want to use).

  • All Computers: This group is a Microsoft WSUS generic and default group and the parent group to all below. CITES will configure all critical updates, definitions, and security updates to be automatically approved and installed on ALL systems connecting to the CITES WSUS server. No computers should be explicitly targeted at this group though.
  • Unassigned Computers: This group is another default group for systems that connect to the WSUS server and do not use one of the client-side targeting groups listed below. By default, the computers in this group will receive all updates.
  • All Updates: This group will receive all updates from Microsoft including all of the critical updates, definitions, and security updates with the exception of driver updates.
  • Application Service Packs: This group will receive all of the critical updates,definitions, and security updates in addition to service packs for applications.
  • OS Service Packs: This group will receive all of the critical updates, definitions, and security updates in addition to service packs for the Operating System. Additionally, this group will receive updates for Internet Explorer as well as the .NET framework due to their thorough integration into the operating system on many computers. This group does not receive Lync updates.
  • Upgrades: This group receive specifies upgrades for windows 10 features and functionality.
  • All Service Packs: This group will receive all of the critical updates, definitions, and security updates in addition to the updates from the Application Service Packs and the OS Service Packs groups.
  • Baseline: This group will only receive all of the critical updates, definitions, and security updates. This does not include any application or OS service packs, including Lync updates.

Based on the data from the Weekly WSUS Approvals section of the CITES Security Brief between February of 2011 and February of 2012, here are some numbers about the frequency of reboots in each of these groups to help you decide which group is right for your machine:

Weeks that had no updates at all: 12
Weeks with no updates requiring a reboot: 11

Now breaking it down by each of our client-side targeting groups (remember that All Service Packs is a superset of OS and Application Service Packs, and that All Updates includes that and a few more):
Weeks where the OS Service Packs group had a reboot-eligible update: 9
Weeks where the Applications Service Packs group had a reboot-eligible update: 26
Weeks where the All Service Packs group had a reboot-eligible update: 28
Weeks where the All Updates group had a reboot-eligible update: 29

Based on these numbers, we can estimate that a machine in the OS Service Packs group will reboot due to the updates approximately once every 6 weeks, while members of the other groups will reboot about once every other week due to the updates (although again these numbers are high). These numbers do not include the number of times that critical or security updates (which we approve automatically to all groups as they are received) would cause a reboot.

An individual machine would not have rebooted this often so these are maximum estimates (if it installed Windows Server 2008R2 SP1 one week, it wouldn't have gotten the Windows 7 x64 SP1 the next week, and no machine is going to have all of the possible applications installed (Lync, Lync Server, Exchange Server, Office Communication Server, Office, etc.)).

Setting Up Your Own GPOs

Load the WSUS Administrative Template on older machines

Before you can set any Group Policy options for WSUS, you must ensure that the latest administrative template has been loaded on the computer used to administer Group Policy. The administrative template with WSUS settings is named Wuau.adm. Although there are additional Group Policy settings related to the Windows Update Web site, all the new Group Policy settings for WSUS are contained within the Wuau.adm file.

If the computer you are using to configure Group Policy has the latest version of Wuau.adm, you do not need to load the file to configure settings. The new version of Wuau.adm is available on Windows XP with Service Pack 2. Administrative templates files are stored by default in the %windir%\Inf directory.

Any computer that has already had Automatic Updates installed through WSUS will have the correct version of wuau.adm. You can use the old version of Wuau.adm to initially point Automatic Updates to the WSUS server in order to self-update. After the Automatic Update self-updates, the new Wuau.adm file appears in the %windir%\Inf folder.

If the computer you are using to configure Group Policy does not have the latest version of Wuau.adm, you must first load it by using the following procedure.
To add the WSUS Administrative Template:

  1. In Group Policy Object Editor, click either of the Administrative Templates nodes.
  2. On the Action menu, click Add/Remove Templates.
  3. Click Add.
  4. In the Policy Templates dialog box, select Wuau.adm, and then click Open.
  5. In the Add/Remove Templates dialog box, click Close.

Download the Wuau.adm Template

Configure Automatic Updates

The settings for this policy enable you to configure how Automatic Updates works. You must specify that Automatic Updates should download updates from the WSUS server rather than from Windows Update.

To configure the behavior of Automatic Updates:

  1. In Group Policy Object Editor, expand Computer Configuration, expand Administrative Templates, expand Windows Components, and then click Windows Update.
  2. In the details pane, click "Configure Automatic Updates".
  3. Click "Enabled" and select one of the following options:
  • Notify for download and notify for install. This option notifies a logged-on administrative user prior to the download and prior to the installation of the updates.
  • Auto download and notify for install. This option automatically begins downloading updates and then notifies a logged-on administrative user prior to installing the updates.
  • Auto download and schedule the install. If Automatic Updates is configured to perform a scheduled installation, you must also set the day and time for the recurring scheduled installation.
  • Allow local admin to choose setting. With this option, the local administrators are allowed to use Automatic Updates in Control Panel to select a configuration option of their choice. For example, they can choose their own scheduled installation time. Local administrators are not allowed to disable Automatic Updates.
  1. Click OK.
Specify Intranet Microsoft Update Service Location

The settings for this policy enable you to configure a WSUS server that Automatic Updates will contact for updates. You must enable this policy in order for Automatic Updates to download updates from the WSUS server.

Enter the WSUS server HTTP(S) URL twice, so that the server specified for updates is also used for reporting client events. For example, type https://wsus.cites.illinois.edu (or your secondary WSUS server) in both boxes. Both URLs are required.

To redirect Automatic Updates to a WSUS server:

  1. In Group Policy Object Editor, expand Computer Configuration, expand Administrative Templates, expand Windows Components, and then click Windows Update.
  2. In the details pane, click "Specify Intranet Microsoft update service location". Type https://wsus.cites.illinois.edu (or your secondary WSUS server).
  3. Click "Enabled" and type the HTTP(S) URL of the same WSUS server in both the "Set the intranet update service for detecting updates" box and in the "Set the intranet statistics server" box. For example, type https://wsus.cites.illinois.edu (or your secondary WSUS server) in both boxes.
  4. Click OK.
Enable Client-side Targeting

This policy enables client computers to self-populate computer groups that exist on the WSUS server.

If the status is set to "Enabled", the specified computer group information is sent to WSUS, which uses it to determine which updates should be deployed to this computer. This setting is only capable of indicating to the WSUS server which group the client computer should use. You must actually create the group on the WSUS server.

If the status is set to "Disabled" or "Not Configured", no computer group information will be sent to WSUS, and the computer will be placed in the 'Unassigned Computers' category described above.

To enable client-side targeting:

  1. In Group Policy Object Editor, expand Computer Configuration, expand Administrative Templates, expand Windows Components, and then click Windows Update.
  2. In the details pane, click "Enable client-side targeting".
  3. Click "Enabled" and enter the name of a computer group in the box. (Valid group names are listed in the SECPUB:Client-Side Targeting Groups section above.)
    It is important to enter the target group name accurately. If the group name does not exist, the machine(s) will be placed into the 'Unassigned Computers' group (which will receive all updates).
  4. Click OK.
Reschedule Automatic Update Scheduled Installations

This policy specifies the amount of time for Automatic Updates to wait, following system startup, before proceeding with a scheduled installation that was missed previously.

If the status is set to "Enabled", a scheduled installation that did not take place earlier will occur the specified number of minutes after the computer is next started.

If the status is set to "Disabled", a missed scheduled installation will occur with the next scheduled installation.
If the status is set to "Not Configured", a missed scheduled installation will occur one minute after the computer is next started.

This policy applies only when Automatic Updates is configured to perform scheduled installations of updates. If the Configure Automatic Updates policy is disabled, this policy has no effect.

To reschedule Automatic Update scheduled installation:

  1. In Group Policy Object Editor, expand Computer Configuration, expand Administrative Templates, expand Windows Components, and then click Windows Update.
  2. In the details pane, click "Reschedule Automatic Update scheduled installations", click "Enable", and enter a value in minutes.
  3. Click OK.
No Auto-restart for Scheduled Automatic Update Installation Options

This policy specifies that to complete a scheduled installation, Automatic Updates will wait for the computer to be restarted by any user who is logged on, instead of causing the computer to restart automatically.

If the status is set to "Enabled", Automatic Updates will not restart a computer automatically during a scheduled installation if a user is logged on to the computer. Instead, Automatic Updates will notify the user to restart the computer in order to complete the installation.

Be aware that Automatic Updates will not be able to detect future updates until the restart occurs. Additionally, some updates (like that for the MS05-039 Plug-n-Play vulnerability) require a reboot before the patch installation can complete. Some machines on campus that had the patch delivered were still vulnerable because they had not rebooted.

If the status is set to "Disabled" or "Not Configured", Automatic Updates will notify the user that the computer will automatically restart in 5 minutes to complete the installation.

This policy applies only when Automatic Updates is configured to perform scheduled installations of updates. If the Configure Automatic Updates policy is disabled, this policy has no effect.

To inhibit auto-restart for scheduled Automatic Update installation options:

  1. In Group Policy Object Editor, expand Computer Configuration, expand Administrative Templates, expand Windows Components, and then click Windows Update.
  2. In the details pane, double click "No auto-restart for scheduled Automatic Update installations" options, and set the option.
  3. Click OK.
Automatic Update Detection Frequency

This policy specifies the hours that Windows will use to determine how long to wait before checking for available updates. The exact wait time is determined by using the hours specified here, minus 0 to 20 percent of the hours specified. For example, if this policy is used to specify a 20-hour detection frequency, then all WSUS clients to which this policy is applied will check for updates anywhere between 16 and 20 hours.

If the status is set to "Enabled", Automatic Updates will check for available updates at the specified interval.

If the status is set to "Disabled" or "Not Configured", Automatic Updates will check for available updates at the default interval of 22 hours.

To set Automatic Update detection frequency:

  1. In Group Policy Object Editor, expand Computer Configuration, expand Administrative Templates, expand Windows Components, and then click Windows Update.
  2. In the details pane, click "Automatic Update detection frequency", and set the option.
  3. Click OK.
Allow Automatic Update Immediate Installation

This policy specifies whether Automatic Updates should automatically install certain updates that neither interrupt Windows services nor restart Windows.

If the status is set to "Enabled", Automatic Updates will immediately install these updates after they have been downloaded and are ready to install.

If the status is set to "Disabled", such updates will not be installed immediately.

To allow Automatic Update immediate installation:

  1. In Group Policy Object Editor, expand Computer Configuration, expand Administrative Templates, expand Windows Components, and then click Windows Update.
  2. In the details pane, click "Allow Automatic Update immediate installation", and set the option.
  3. Click OK.
Delay Restart for Scheduled Installations

This policy specifies the amount of time for Automatic Updates to wait before proceeding with a scheduled restart.

If the status is set to Enabled, a scheduled restart will occur the specified number of minutes after the installation is finished.

If the status is set to Disabled or Not Configured, the default wait time is five minutes.

To delay restarts for scheduled installations:

  1. In Group Policy Object Editor, expand Computer Configuration, expand Administrative Templates, expand Windows Components, and then click Windows Update.
  2. In the details pane, click "Delay restart for scheduled installations", and set the option.
  3. Click OK.
Re-prompt for Restart with Scheduled Installations

This policy specifies the amount of time for Automatic Updates to wait before prompting the user again for a scheduled restart.

If the status is set to "Enabled", a scheduled restart will occur the specified number of minutes after the previous prompt for restart was postponed.

If the status is set to "Disabled" or "Not Configured", the default interval is 10 minutes.

To re-prompt for restart with scheduled installations:

  1. In Group Policy Object Editor, expand Computer Configuration, expand Administrative Templates, expand Windows Components, and then click Windows Update.
  2. In the details pane, click "Re-prompt for restart with scheduled installations", and set the option.
  3. Click OK.
Allow Non-administrators to Receive Update Notifications

This policy specifies whether logged-on non-administrative users will receive update notifications based on the configuration settings for Automatic Updates. If Automatic Updates is configured, by policy or locally, to notify the user either before downloading or only before installation, these notifications will be offered to any non-administrator who logs onto the computer.

If the status is set to "Enabled", Automatic Updates will include non-administrators when determining which logged-on user should receive notification.

If the status is set to "Disabled" or "Not Configured", Automatic Updates will notify only logged-on administrators.

To allow non-administrators to receive update notifications:

  1. In Group Policy Object Editor, expand Computer Configuration, expand Administrative Templates, expand Windows Components, and then click Windows Update.
  2. In the details pane, click "Allow non-administrators to receive update notifications", and set the option.
  3. Click OK.
This policy setting does not allow non-administrative Terminal Services users to restart the remote computer where they are logged in. This is because, by default, non-administrative Terminal Services users do not have computer restart privileges.
Remove Links and Access to Windows Update

If this setting is enabled, Automatic Updates receives updates from the WSUS server. Users who have this policy set cannot get updates from a Windows Update Web site that you have not approved. If this policy is not enabled, the Windows Update icon remains on the Start menu for local administrators to visit the Windows Update Web site. Local administrative users can use it to install unapproved software from the public Windows Update Web site. This happens even if you have specified that Automatic Updates must get approved updates from your WSUS server.

To remove links and access to Windows Update:

  1. In Group Policy Object Editor, expand User Configuration, expand Administrative Templates, and then click Start Menu and Taskbar.
  2. In the details pane, click "Remove links and access to Windows Update", and set the option.
  3. Click OK.