WSUS Group Policy Objects

Group Policy Objects (GPOs) are the rule sets in Active Directory applied to the objects in the same or descending Organizational units (OUs). The creation and application of several GPOs is what we will use to guide workstations and servers to report to our WSUS server. This guide follows the default setup used in the WSUS ABC Core tutorial.

To properly configure Active Directory to manage Windows Updates using WSUS we will need to use several GPOs created and linked using the Group Policy Management (GPM) tool on one of the domain controllers. The first GPO we will setup is simply a catch-all to make sure every computer in the domain registers with the WSUS server. This catch-all will not have any rules, just connection information for the WSUS server. We will make more specific GPOs that will override this one later. Right-click the domain in GPM and select “Create a GPO in this domain, and link it here…”

Create a new Group Policy Object
Create a new Group Policy Object

On the New GPO screen presented, type “WSUS-BaseReporting” in the Name field. It is a good idea to prefix new GPO names with a category so that similar GPOs will group together when listed and their basic functionality is readily apparent. We will be creating all GPOs for this project with the prefix “WSUS”.

Once the GPO is created, it will appear in the left panel. Select the new GPO and right-click it, then select Edit.

Edit a Group Policy Object
Edit a Group Policy Object

Once the editor screen is open navigate to the path below. All of the Windows Updates settings we will make on this GPO and the following GPOs will be in this section.

Computer Configuration / Policies / Administrative templates/ Windows Component/ Windows Update

Double-click the option for Configure Automatic Updates. Set it to Enabled and select option 3 – Auto Download and Notify For Install. Click OK.

Configure Automatic Updates
Configure Automatic Updates

The only other setting we need here is Specify Intranet Microsoft Update Service Location. This is in reference to the WSUS server.  Set the rule to Enabled, set the intranet update service and intranet statistics service locations to point at the WSUS server. This will be an http or https URI (http by default) pointing at the port designated for WSUS (default 8530). It is best to do this by IP address and not name. The format will be http://<server IP>:8530

Specify Intranet Microsoft Update Service Location
Specify Intranet Microsoft Update Service Location

At this point you should start to see computers in Active Directory start registering themselves to WSUS. Since we haven’t designated group memberships they will all show up as Unassigned Computers. This process can take some time to happen organically as the GPO is replicated to other domain controllers and clients refresh their policies (default 22 hours for WSUS check-in). Notice the computers connect and register with WSUS even before setting their status.

WSUS Unassigned Computers
Unassigned Computers

Now let’s go back and make some more specific GPOs for our different WSUS groups. If we go back into the GPM tool and locate an OU appropriate for our production servers, we can create a new GPO like we did before except this time we will create and link it by right-clicking the OU before selecting “Create a new…” and will name this GPO “WSUS-Servers PROD”.

New Production Server GPO
New Production Server GPO

When we edit this GPO we go to the same section we did before as listed below. The bare minimum we need to do with this GPO is to double-click the Enable Client-Side Targeting rule, enable it and type PROD in the target group section. This will instruct any computer that inherits this GPO to register itself in the PROD group in WSUS.

Computer Configuration / Policies / Administrative templates/ Windows Component/ Windows Update

Define Target Group for Computers
Define Target Group for Computers

As you create the other GPOs to target other computer groups (TEST, DEV, WORKSTATIONS, etc) you should also set Windows Update rules in that GPO to model patching for that type of computer. Example; PROD servers are usually set to download and manually install while WORKSTATIONS that otherwise users leave unpatched should probably be patched more aggressively by forcing installs and reboots (be polite and schedule with respect). If you have a situation where users aren’t rebooting for patches to apply try using WSUS WORKSTATION Rebooter.

-fin