How to Setup, Manage, and Maintain WSUS: Part 4 – Creating your GPOs for an Inheritance Setup

by | Last updated 2022.10.22 | Published on 2018.06.01 | Guides, WSUS

Critical Thinking & Grammar

When you are doing anything in Group Policy (GPOs), you must read the description and especially the requirements CRITICALLY as Microsoft has clarified which policies apply to which OS. Take note of the words:

  • ‘through’ – meaning from the first-mentioned OS until the last-mentioned OS. After the last-mentioned OS the policy no longer applies.
  • ‘At least’ – meaning anything after the mentioned OS
  • ‘excluding’ – meaning that even though it falls into the scope of the previous statements, it does not apply to the mentioned OS
  • ‘or’ – self-explanatory – either of the two mentioned OS
  • ‘,’ and ‘.’ – comma and period placement is VERY important. It separates OS lists, ideas, or full thoughts.

Eg:

At least Windows XP Professional Service Pack 1 or At least Windows 2000 Service Pack 3 through Windows 8.1 or Windows Server 2012 R2 with most current service pack. Not supported on Windows 10 and above.

Applies Does not apply to
Windows XP SP1 Windows XP RTM
Windows 2000 SP3 Windows 2000 RTM/SP1/SP2
Windows 7 Windows Server 2000 RTM
Windows 8 Windows Server 2000 SP1
Windows 8.1 Windows Server 2000 SP2
Windows 8 RT Windows 10
Windows Server 2000 SP3 Windows 11
Windows Server 2003 Windows NEXT (next versions)
Windows Server 2008
Windows Server 2008 R2
Windows Server 2012
Windows Server 2012 R2 RTM
Windows Server 2012 R2 with latest Service Pack (now called Cumulative Updates)

Set policies only when you need them to be different than the defaults. Microsoft has done a decent job at setting the defaults for client machines in recent years. As both Windows and Windows Server have developed, the updating process also has developed, contrary to what many believe. The defaults on Windows clients are the same ones that are set for all of the Windows Home systems and Windows Pro systems that do not have any group policies applied.

Create a GPO – “WSUS – Location”

Create a GPO named “WSUS – Location” to JUST point to the FQDN of the WSUS server. This way, if you have more than 1 WSUS server, you can create multiple Location URLs and assign them to each AD Site to automatically allow each site to update from their respective local WSUS server.

If you are storing files locally on the WSUS server, you will want to specify the same URL for all 3 locations (intranet update service, intranet statistics server, and the alternate download server). If you are not going to store the update files locally and want all your clients to download directly from Microsoft, do NOT set the alternative download server – it must be blank.

You cannot specify 2 different URLs for the ‘intranet update service’ and the ‘intranet statistics server’ – They must be the same one. If you attempt to specify 2 different URLs, reporting will not work.

When specifying the URL, make sure to add in the port number at the end separated with a colon. If you are using Server 2012 or higher, the default WSUS ports are 8530/8531. If you’re using Server 2008R2 or lower (I hope by now you are not), or you have told WSUS to not use the custom website using [wsusutil usecustomwebsite false], the default WSUS ports are 80/443. Do not change IIS directly when working with WSUS. Ensure you are using wsusutil to make the change.

Although an IP address can be used, FQDN should be used for proper DNS resolution in any circumstance and is best practice and required for any public SSL Certificates. Do not add a trailing slash [/] to the URL.

Under: Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update > Manage updates offered from Windows Server Update Service

Or if you have not updated your ADMX files yet (Hint – go do that):
Under: Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update

Scenario 1:

You have a single WSUS server, or you want all systems to pull from a single WSUS server.

For most, all other settings in this window should be left in their default not checked and selected options.

Scenario 2:

You have 2 WSUS servers, one located at head office, the other located at a satellite office. When a system is at the head office, you want the computer to pull updates from the main WSUS server. When a system is at the satellite office, you want the computer to pull from the local WSUS server in the satellite office.

GPO: “WSUS – Location – Head Office”

For most, all other settings in this window should be left in their default not checked and selected options.

GPO: “WSUS – Location – Satellite Office”

For most, all other settings in this window should be left in their default not checked and selected options.

Create a GPO – ‘WSUS – Specify Source Service’

Microsoft has developed a new policy that clarifies all the confusion with what updates come from which update service. We put this into a standalone GPO because you may wish to create multiple of these for your systems and apply them at different levels to change depending on your environment.

Scenario 1:

You want to have WSUS handle everything (Feature Updates, Quality Updates, Driver Updates, and Other Updates).

Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update > Manage updates offered from Windows Server Update Service

  • Specify source service for specific classes of Windows Updates: Enabled
    • Feature Updates: Windows Server Update Services
    • Quality Updates: Windows Server Update Services
    • Driver Updates: Windows Server Update Services
    • Other Updates: Windows Server Update Services

Scenario 2:

You want WSUS to handle all Feature Updates, Quality Updates (Cumulative Updates), and Other Updates but wish to have Windows Update handle Driver Updates. In this case, you would not need to enable the Drivers category in WSUS, but still receive Driver updates, when available from Windows Update.

Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update > Manage updates offered from Windows Server Update Service

  • Specify source service for specific classes of Windows Updates: Enabled
    • Feature Updates: Windows Server Update Services
    • Quality Updates: Windows Server Update Services
    • Driver Updates: Windows Update
    • Other Updates: Windows Server Update Services

Scenario 3:

You have a head office that uses WSUS, but 6 or 7 remote workers in a satellite office that does not have any servers, and a slow connection between the offices, but a fast Internet connection at the satellite office. You may want to give them a specific source service policy that only for those systems, go directly to Microsoft for everything, but for your head office, you want all the updates to come from WSUS.

Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update > Manage updates offered from Windows Server Update Service

GPO: “WSUS – Specify Source Service – Head Office”

  • Specify source service for specific classes of Windows Updates: Enabled
    • Feature Updates: Windows Server Update Services
    • Quality Updates: Windows Server Update Services
    • Driver Updates: Windows Server Update Services
    • Other Updates: Windows Server Update Services

GPO: “WSUS – Specify Source Service – Satellite Office”

  • Specify source service for specific classes of Windows Updates: Enabled
    • Feature Updates: Windows Update
    • Quality Updates: Windows Update
    • Driver Updates: Windows Update
    • Other Updates: Windows Update

Workstation GPOs – Create Rings

Create a GPO – “WSUS – Workstations – Ring 1 – Test-Workstations”

This GPO is just a Target group GPO for the client-side targeting of WSUS. Specify both targets separated by a semi-colon and a space.

Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update > Manage updates offered from Windows Server Update Service

  • Enable client-side targeting: Enabled
  • Target group name for this computer: Workstations; Test – Workstations

This will create a group membership assignment so that you can include your Test Computers in Ring 1.

Create a GPO – ‘WSUS – Workstations – Ring 2 – Broad’

We can utilize Delivery Optimization (DO) to make our lives easier. You should set WSUS to only download from peer-to-peer connections on the same LAN. It makes the load lighter on your WSUS Server if you have many clients and it makes downloading the updates from each other faster than all downloading at once from the WSUS Server. Updates will still only install on the machines if they are approved for that group, so you do not have to worry about stray updates installing on systems you do not want them to install on.

Computer Configuration > Policies > Administrative Templates > Windows Components > Delivery Optimization

Download Mode: Enabled
Download Mode: LAN

When utilizing DO, the Windows Update Client will ask WSUS to start sending an update file, and then after it starts, it will ask any other peer computers if the file is available for download from them. If other peer computers have it, DO takes over and continues downloading the file from a peer. The Windows Update Client will then ask WSUS for another update file and the process starts over again. If a file has not been cached on a peer, the file continues to be downloaded from WSUS until it is finished and then caches it for other peers.

The Windows Update Client Policies

Think about your Workstations, get out your notes of what workstations you have in your network. Go through each of the policies in Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update. Microsoft has created a new folder structure in the latest ADMX Templates to make this much easier to manage. Try to stay out of the ‘Legacy Policies’ folder. If you only have Windows 10 or higher in your environment, we can avoid the Legacy Policies altogether. In some cases, it may be a good idea to create multiple policies if you must enable any of the legacy policies and apply those policies ONLY to those computers (through scoping) that need it.

If you are using Windows Defender or any other definition-based product from Microsoft, you will want to enable “Automatic Updates detection frequency” and set the detection frequency to something short like 1 or 2 hours so that the systems can find the latest definition files faster from WSUS. You must also set the auto-approval rule in WSUS for definition files, or this won’t do anything.

Our Suggested Policies

Set ONLY these policies to have the best effect.

Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update > Manage end user experience

  • Turn off auto-restart for updates during active hours: Enabled
    • Active Hours Start: 8 AM (pick a time that is relevant to your business)
    • Active Hours End: 6 PM (pick a time that is relevant to your business)
  • Configure Automatic Updates: Enabled
    • Configure automatic updating: 4 – Auto download and schedule the install
    • The following settings are only required and applicable if 4 is selected.
    • Install during automatic maintenance: DISABLED (force Windows to install at the scheduled time, rather during the default 2AM maintenance window that Windows has)
    • Scheduled install day: 0 – Every day
    • Scheduled install time: 16:00 (pick a time where most systems will be turned on based on your business)
    • Check – Every week
    • Install updates for other Microsoft products: Enabled (You are using WSUS to control what updates are presented to the systems, including other Microsoft products, but in some cases, you want to allow for communication and checking with Microsoft Update, particularly for items that are not in WSUS. This does not mean that it will automatically install software or drivers from Microsoft Update without your approval. This is just a scanning source that will make your life easier. This turns on [Settings > Windows Updates > Advanced Options > “Receive updates for other Microsoft Products”])
  • Specify deadlines for automatic updates and restarts: Enabled
    • Quality Updates Deadline: 5 Days
    • Quality Updates Grace period: 2 Days
    • Feature Updates Deadline: 5 Days
    • Feature Updates Grace period: 2 Days
    • Ensure no checkmark is in “Don’t auto-restart until end of grace period”. This way, if the computer is not in use, not logged in, the computer can restart the computer to apply the updates.

Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update > Manage updates offered from Windows Server Update Service

  • Automatic Updates detection frequency: Enabled
    • Check for updates at the following interval (hours): 4 (or 1 or 2 if you have Windows Defender or any other definition-based product from Microsoft)
  • Enable client-side targeting: Enabled
    • Target group name for this computer: Workstations

Our previous version of our guide indicated to use these 2 Legacy Policies, however now we recommend not to use these as they are Legacy Policies.

  • No auto-restart with logged on users for scheduled automatic updates installations: Disabled (We now recommend this be set to “Not configured”)
  • Configure auto-restart reminder notifications for updates: Enabled (60 Minutes) (We now recommend this be set to “Not configured”)

Some of you may not like these settings as they ‘allow’ restarts of computers automatically, even with users logged in. Please be aware, Microsoft has changed their viewpoint on updates due to people who ‘never’ restart their computers. Most cumulative security updates will only apply after a restart, and since Microsoft’s focus is on security, both Microsoft and AJ Tek recommend forcing systems to reboot after a certain point. As systems upgrade to anything past Windows 10 1709, you will end up regaining more control over the ability to allow users a bit more control over delaying rebooting if necessary to allow for the finishing of computing data.

Change how you think, Change your life! One way to deal with this is to create a new WSUS Group for these systems that you wish to delay these updates on and only approve them to this group in a known update window and change their GPO to allow for checking for updates every hour. This way the systems will update quickly, notify the user to let them know that their system updated and will reboot during off hours, and then they can reboot immediately before starting on a large computing project.

I Want Notifications!!!

What about those notifications to the users that their computer is going to be restarting? Microsoft has really dropped the ball on this one. Since the initial release of Windows 10, notifications for restarts from updates has been non-existent. Microsoft has been trying to listen to their customers and in Windows 10 1703, introduced a notification system to notify users of impending restarts due to Windows Updates. In Windows 10 1809, they improved on this notification system. The problem: Microsoft’s GPO cohesiveness with the new Settings app specifically. We have a left-hand, right-hand issue here where the GPO team has not caught up to the Settings app team. There is simply no way (that we have found) that sets up the proper notification registry settings that is controlled through the Settings app. Even with the release of Windows 11 and the new ADMX Templates in 2021, this GPO setting still does not exist.

So, how can we solve this problem? Use group policy preferences (GPP) to set the registry settings properly.

In Computer Configuration > Preferences > Windows Settings > Registry

Create a new registry item with the Update action:

For Windows 10 1703 to 1803 inclusive
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings\RestartNotificationsAllowed

For Windows 10 1809 and later
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings\RestartNotificationsAllowed2

Value type: REG_DWORD
Value data:
0 = Off
1 = On

This option correlates to:

Windows 10:
Settings App > Update & Security > Windows Update > Advanced Options > Update notifications > “Show a notification when your PC requires a restart to finish updating”

Windows 11:
Settings > Windows Update > Advanced Options > “Notify me when a restart is required to finish updating”

Servers GPOs – Create Rings

Think about your servers. There are some servers that you have that may not be critical to the business operations but are important (eg. WSUS server, ticketing system, door entry management system, WiFi management system, etc). These systems, while important, could potentially have an issue and not take the business down.

Separate your servers into 4 Rings.

  1. Test Systems, not business critical, can restart automatically. – Time 1 or 2 (eg. WSUS server, deployment server, WiFi management system, etc.)
  2. Business critical, can restart automatically – Time 1 (eg. DC1, CA server, printer server, etc.)
  3. Business critical, can restart automatically – Time 2 (eg. DC2, file server, etc.)
  4. Business critical, cannot restart automatically. Must have manual restarts. Manual interaction may be required (eg. VM host, application server where you must manually log in and start an application, etc.)

On systems relating to rings 1 2 or 3, once an update is approved, they will download, install and restart during your maintenance period.

On systems that relate to number 4, more than likely, you will want to have the server automatically download but not install the updates as you will want to manually install them during your maintenance window.

Create a GPO – “WSUS – Servers – Ring 1 – Test-Servers”

This GPO is just a Target group GPO for the client-side targeting of WSUS. Specify both targets separated by a semi-colon and a space.

Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update > Manage updates offered from Windows Server Update Service

  • Enable client-side targeting: Enabled
  • Target group name for this computer: Servers; Test – Servers

This will create a WSUS group membership assignment so that you can include your Test Servers in Ring 1.

Create a GPO – “WSUS – Servers – Ring 2 – Automatic 4AM”

Computer Configuration > Policies > Administrative Templates > Windows Components > Delivery Optimization

Download Mode: Enabled
Download Mode: LAN

Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update > Manage end user experience

  • Always automatically restart at the scheduled time: Enabled
    • The restart timer will give users this much time to save their work (minutes): 15
  • Configure Automatic Updates: Enabled
    • Configure automatic updating: 4 – Auto download and schedule the install
    • Uncheck – Install during automatic maintenance
    • Scheduled install day: 0 – Everyday
    • Scheduled install time: 04:00
    • Check – Every Week
    • Scheduled install day: 0 – Every day
    • Check – Install updates for other Microsoft products. (You are using WSUS to control what updates are presented to the systems, including other Microsoft products, but in some cases, you want to allow for communication and checking with Microsoft Update, particularly for items that are not in WSUS. This does not mean that it will automatically install software or drivers from Microsoft Update without your approval. This is just a scanning source that will make your life easier. This turns on [Settings > Windows Updates > Advanced Options > “Receive updates for other Microsoft Products”])

Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update > Manage updates offered from Windows Server Update Service

  • Automatic Updates detection frequency: Enabled
    • Check for updates at the following interval (hours): 4
  • Enable client-side targeting: Enabled
    • Target group name for this computer: Servers

Create a GPO – “WSUS – Servers – Ring 3 – Automatic 2AM”

Computer Configuration > Policies > Administrative Templates > Windows Components > Delivery Optimization

Download Mode: Enabled
Download Mode: LAN

Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update > Manage end user experience

  • Always automatically restart at the scheduled time: Enabled
    • The restart timer will give users this much time to save their work (minutes): 15
  • Configure Automatic Updates: Enabled
    • Configure automatic updating: 4 – Auto download and schedule the install
    • Uncheck – Install during automatic maintenance
    • Scheduled install day: 0 – Everyday
    • Scheduled install time: 02:00
    • Check – Every Week
    • Scheduled install day: 0 – Every day
    • Check – Install updates for other Microsoft products. (You are using WSUS to control what updates are presented to the systems, including other Microsoft products, but in some cases, you want to allow for communication and checking with Microsoft Update, particularly for items that are not in WSUS. This does not mean that it will automatically install software or drivers from Microsoft Update without your approval. This is just a scanning source that will make your life easier. This turns on [Settings > Windows Updates > Advanced Options > “Receive updates for other Microsoft Products”])

Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update > Manage updates offered from Windows Server Update Service

  • Automatic Updates detection frequency: Enabled
    • Check for updates at the following interval (hours): 4
  • Enable client-side targeting: Enabled
    • Target group name for this computer: Servers

Create a GPO – “WSUS – Servers – Ring 4 – Manual”

Computer Configuration > Policies > Administrative Templates > Windows Components > Delivery Optimization

Download Mode: Enabled
Download Mode: LAN

Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update > Manage end user experience

  • Configure Automatic Updates: Enabled
    • Configure automatic updating: 3 – Auto download and notify for install
    • Uncheck – Install during automatic maintenance
    • Scheduled install day: 0 – Everyday
    • Scheduled install time: 06:00
    • Check – Every Week
    • Scheduled install day: 0 – Every day
    • Check – Install updates for other Microsoft products. (You are using WSUS to control what updates are presented to the systems, including other Microsoft products, but in some cases, you want to allow for communication and checking with Microsoft Update, particularly for items that are not in WSUS. This does not mean that it will automatically install software or drivers from Microsoft Update without your approval. This is just a scanning source that will make your life easier. This turns on [Settings > Windows Updates > Advanced Options > “Receive updates for other Microsoft Products”])

Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update > Manage updates offered from Windows Server Update Service

  • Enable client-side targeting: Enabled
    • Target group name for this computer: Servers

Express Files

If you find that your updates are taking more time than your maintenance window, consider using the “Download express installation files” option which will only deliver to each system the changed files (deltas). This will quicken the download, quicken the install process, and allow you complete within your maintenance window, at the expense of about 3-5 times the amount of disk space on your WSUS Server.

 

How to Prepare for On-Prem WSUS UUP Updates

How to Prepare for On-Prem WSUS UUP Updates

Quality updates are coming on March 28 for on-premises Windows 11, version 22H2 devices. The updates are coming via the Unified Update Platform (UUP) which interoperates with WSUS and Microsoft Configuration Manager. UUP quality updates are cumulative, including all...

Backing Up Windows Server Update Services

Backing Up Windows Server Update Services

You probably already know that backing up your Windows Server Update Services is crucial. You want to back up because restores are faster than rebuilding WSUS. Although it’s not difficult to rebuild, it takes valuable time we know you don’t have. Your WSUS...