Friday, July 6, 2012

Configuring the WSUS Client by Group Policy

The quickest and easiest way to configure systems to auto-update using Windows Server Update Services (WSUS) is to use group policy within Active Directory. This document assumes familiarity with using "Active Directory Users and Computers" to manage group policy.

The client PCs need to be running Windows 2000 SP4, Windows XP SP2, Windows Server 2003 (SP1 or above) or Windows Vista. (Technically this product works with the previous SPs, but we have decided not to approve the full service pack updates for installation as support staff may not wish SP updates to be approved automatically. Some PCs will fail with these updates, e.g. if free hard disk space is too small. In any case you should not be connecting systems with earlier SPs than those listed above to the network. MS does not provide update support for these SPs.)

First, select the Organisational Unit (OU) to which you wish to apply the policy. Then choose an existing Group Policy Object (GPO) to which you wish to add the Auto Update configuration, or alternatively create a new GPO. Open the GPO.



Under Computer Configuration, right-click on Administrative Templates and choose Add/Remove Templates....




You will see a dialog box that looks something like this:




We need to add a new template containing the WSUS settings, so click Add....



We need to add wuau.adm. This may or may not already be present in the \windows\inf folder. If it is present, please check its size. If it is less than 49kB, it's an old version. The newer version of wuau.adm, can be downloaded from here (Windows Policy Template, 50KB) and saved to \windows\inf.

You should now see the wuau.adm template included in the list. Here it's listed with the smaller size (49kB, as opposed to 50kB). Again, if wuau.adm shows up as smaller, you have the wrong version.




Next, expand the tree to get to Computer Configuration/Administrative Templates/Windows Components/Windows Update. Under Windows Update, you should see fifteen policy setting, as shown below. If you only see only two or four, you have loaded an old version of wuau.adm.




Next, expand the tree to get to Computer Configuration/Administrative Templates/Windows Components/Windows Update. Under Windows Update, you should see fifteen policy setting, as shown below. If you only see only two or four, you have loaded an old version of wuau.adm.




This document explains the minimum configuration required to use WSUS; for more information on the other settings, read the description provided by Windows.

We'll start at the top. Double-click on Configure Automatic Updates.

In Configure Automatic Updates Properties, choose Enabled. Choose "4. Auto download and schedule the install"; select an installation day (either "every day", or choose the day of the week on which you'd like updates to take place); select an installation time (the default is 3am; we recommend that you schedule updates for a time when no one is likely to be using the computer, even if you'd expect the computer to be switched off at that time). Click on OK to close the dialog box.




Open the setting Specify intranet Microsoft update service location. In the properties dialog, choose Enabled. Then, set both the intranet update service and the intranet statistics server to http://is-wsus.bris.ac.uk/ as shown below. Click on OK to close the dialog box.




This version of WSUS can be set to update Microsoft Office packages (Office XP(2002), 2003, 2007) in addition to Windows itself. This is optional and will not happen unless you select it as follows. If you wish to use WSUS to keep Microsoft Office packages (Office XP(2002), 2003, 2007) updated, you can configure the WSUS client to install Office updates as follows (provided that Office was installed from an unpatched original copy): Open the setting Enable client-side targeting. In the properties dialog, choose Enabled. Then, set the target group name OfficeUpdates as shown below. Click on OK to close the dialog box.




Open the setting Reschedule Automatic Updates scheduled installations. In the properties dialog, choose Enabled. Leave the Wait after system startup setting at five minutes. We suggest that if you do decrease this amount, you set it to no less than two minutes. Click on OK to close the dialog box.




Open the setting No auto-restart for scheduled Automatic Updates installations. In the properties dialog, choose Enabled. This will prevent the computer from restarting automatically after performing updates (and will avoid work being lost).

Open the setting Allow Automatic Updates immediate installation. In the properties dialog, choose Enabled. This will allow the computer to silently install updates that do not interrupt services or require a reboot.



The settings above should allow your computers to automatically stay up to date with security patches and minimise the risk of work being lost.

No comments:

Post a Comment