Create a base GPO – “WSUS – Location”
Create a GPO named “WSUS – Location” to JUST point to the FQDN of the WSUS Server on port 8530/8531 (or 80/443 for Server 2008) for all 3 locations (intranet update service, intranet statistics server, and the alternate download server).
Under: Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update
Specify intranet Microsoft update service location: Enabled
Set the intranet update service for detecting updates: http://wsus.domain.local:8530 (or https://wsus.domain.local:8531)
Set the intranet statistics server: http://wsus.domain.local:8530 (or https://wsus.domain.local:8531)
Set the alternate download server: http://wsus.domain.local:8530 (or https://wsus.domain.local:8531)
Download files with no Url in the metadata if alternate download server is set: NOT CHECKED
FQDN should be used for proper DNS resolution in any circumstance and also is best practice and required for any public SSL Certificates.
Create a GPO – ‘WSUS – Workstations’
Think about your Workstations, get out your notes of what workstations you have in your network and go through each of the policies in Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update.
Read the description and especially the requirements CRITICALLY as Microsoft has clarified which policies apply to which OS. Take note of the words ‘through’ – meaning after the last mentioned OS, it no longer applies.
I’ve only written this guide for Windows 10 options. You may have to add more policies in if you have other OSes. If you are using Windows Defender or any other definition based product from Microsoft, you will want to enable “Automatic Updates detection frequency” and set the detection frequency to something fairly short like 1 or 2 hours so that the systems can find the latest definition files faster from WSUS (you must also set the auto-approval rule in WSUS for definition files or this won’t do anything).
Set WSUS to only download from peer to peer connections on the same LAN. I mean why not? It makes the load lighter on your WSUS Server if you have a large number of clients and it makes downloading the updates from each other faster than all downloading at once from the WSUS Server. Updates will still only install on the machines if they are approved for that group, so you don’t have to worry about stray updates installing on systems you don’t want them to install on.
Computer Configuration > Policies > Administrative Templates > Windows Components > Delivery Optimization
Download Mode: Enabled
Download Mode: LAN
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update
- Automatic Updates detection frequency: Enabled
- Check for updates at the following interval (hours): 4
- Configure Automatic Updates: Enabled
- Configure automatic updating: 4 – Auto download and schedule the install
- The following settings are only required and applicable if 4 is selected.
- Install during automatic maintenance: DISABLED (force Windows to install at the scheduled time, rather during the default 2AM maintenance window that Windows has)
- Scheduled install day: 0 – Every day
- Scheduled install time: 16:00 (pick a time where most systems will be turned on based on your business)
- Install updates for other Microsoft products: Disabled (You’re using WSUS to control what updates are presented to the systems, including other Microsoft products)
- Enable client-side targeting: Enabled
- Target group name for this computer: Workstations
- No auto-restart with logged on users for scheduled automatic updates installations: Disabled
- Turn off auto-restart for updates during active hours: Enabled
- Active Hours Start: 8 AM (pick a time that is relevant to your business)
- Active Hours End: 6 PM (pick a time that is relevant to your business)
- Specify deadline before auto-restart for update installation: Enabled (7 Days)
- Configure auto-restart reminder notifications for updates: Enabled (60 Minutes)
Some of you may not like these settings as they ‘allow’ restarts of computers automatically, even with users logged in. Please be aware, Microsoft has changed their viewpoint on updates due to people who ‘never’ restart their computers. Some security updates will only apply after a restart, and since Microsoft’s focus is on security, both Microsoft and I recommend forcing systems to reboot after a certain point. As people upgrade to 1709 and beyond, you will end up regaining more control over the ability to allow users a bit more control over delaying rebooting if necessary to allow for the finishing of computing data.
Change how you think, Change your life! One way to deal with this is to create a new WSUS Group for these systems that you wish to delay these updates on and only approve them to this group in a known update Window, and change their GPO to allow for checking for updates every hour. This way the systems will update quickly, notify the user to let them know that their system updated and will reboot during off hours, and then they have the ability to reboot immediately before starting on a large computing project.
I Want Notifications!!!
What about those notifications to the users that their computer is going to be restarting? Microsoft has really dropped the ball on this one. Since the initial release of Windows 10, notifications for restarts from updates has been non-existent. Microsoft has been trying to listen to their customers and in Windows 10 1703, introduced a notification system to notify users of impending restarts due to Windows Updates. In Windows 10 1809, they improved on this notification system. The problem: Microsoft’s GPO cohesiveness with the new Windows 10 Settings app specifically. We have a left hand, right hand issue here where the GPO team has not caught up to the Settings app team. There is simply no way (that I’ve found) that sets up the proper notification registry settings that is actually controlled through the Settings app.
So, how can we solve this problem? Use group policy preferences (GPP) to set the registry settings properly.
In Computer Configuration > Preferences > Windows Settings > Registry
Create a new registry item with the Update action:
For Windows 10 1703 to 1803 inclusive
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings\RestartNotificationsAllowed
For Windows 10 1809 and later
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings\RestartNotificationsAllowed2
Value type: REG_DWORD
Value data:
0 = Off 1 = On
This option correlates to Settings App > Update & Security > Windows Update > Advanced Options > Update notifications
“Show a notification when your PC requires a restart to finish updating”
Create a GPO – “WSUS – Servers”
Think about your servers. More than likely you will want to have the server automatically download but not install the updates as you will want to manually install them during your maintenance window. If you are using Windows Defender or any other definition based product from Microsoft, you will want to enable “Allow Automatic Updates immediate installation” of updates that neither interrupt Windows services nor restart Windows.
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update
- Allow Automatic Updates immediate installation: Enabled
- Configure Automatic Updates: Enabled
- Configure automatic updating: 3 – Auto download and notify for install
- Enable client-side targeting: Enabled
- Target group name for this computer: Servers
You may or may not wish to manually install updates on your servers. If you have a server farm, you would want to create multiple ‘rings’ of schedules and groups. You can then choose to have the systems automatically reboot and approve updates to each ring individually. This way you can setup “Configure automatic updating: 4 – Auto download and schedule the install” and setup the settings appropriate to you, and force the reboot after the install during your maintenance period. If you find that your updates are taking more time than your maintenance window, consider using the “Download express installation files” option which will only deliver to each system the changed files (deltas). This will quicken the download, quicken the install process, and allow you complete within your maintenance window, at the expense of about 3-5 times the amount of disk space on your WSUS Server.
Create a GPO – “WSUS – Workstations, Test – Workstations”
This GPO is just a Target group GPO for the client-side targeting of WSUS. Specify both targets separated by a semi-colon and a space.
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update
Enable client-side targeting: Enabled
Target group name for this computer: Workstations; Test – Workstations
Create a GPO – “WSUS – Servers, Test – Servers”
This GPO is just a Target group GPO for the client-side targeting of WSUS. Specify both targets separated by a semi-colon and a space.
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update
Enable client-side targeting: Enabled
Target group name for this computer: Servers; Test – Servers