How to Setup, Manage, and Maintain WSUS: Part 4 – Creating your GPOs for an Inheritance Setup

Create a base GPO – “WSUS – Location”

Create a GPO named “WSUS – Location” to JUST point to the FQDN of the WSUS Server on port 8530/8531 (or 80/443 for Server 2008) for all 3 locations (intranet update service, intranet statistics server, and the alternate download server).

Under: Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update

Specify intranet Microsoft update service location: Enabled
Set the intranet update service for detecting updates: http://wsus.domain.local:8530 (or https://wsus.domain.local:8531)
Set the intranet statistics server: http://wsus.domain.local:8530 (or https://wsus.domain.local:8531)
Set the alternate download server: http://wsus.domain.local:8530 (or https://wsus.domain.local:8531)

FQDN should be used for proper DNS resolution in any circumstance and also is best practice and required for any public SSL Certificates.

Create a GPO – ‘WSUS – Workstations’

Think about your Workstations, get out your notes of what workstations you have in your network and go through each of the policies in Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update.
Read the description and especially the requirements CRITICALLY as Microsoft has clarified which policies apply to which OS. Take note of the words ‘through’ – meaning after the last mentioned OS, it no longer applies.

I’ve only written this guide for Windows 10 options. You may have to add more policies in if you have other OSes. If you are using Windows Defender or any other definition based product from Microsoft, you will want to enable “Automatic Updates detection frequency” and set the detection frequency to something fairly short like 3 hours so that the systems can find the latest definition files faster from WSUS (you must also set the auto-approval rule in WSUS for definition files or this won’t do anything).

Set WSUS to only download from peer to peer connections on the same LAN. I mean why not? It makes the load lighter on your WSUS Server if you have a large number of clients and it makes downloading the updates from each other faster than all downloading at once from the WSUS Server. Updates will still only install on the machines if they are approved for that group, so you don’t have to worry about stray updates installing on systems you don’t want them to install on.

Computer Configuration > Policies > Administrative Templates > Windows Components > Delivery Optimization

Download Mode: Enabled
Download Mode: LAN

Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update

Automatic Updates detection frequency: Enabled
- Check for updates at the following interval (hours): 8
Configure Automatic Updates: Enabled
- Configure automatic updating: 4 – Auto download and schedule the install
- The following settings are only required and applicable if 4 is selected.
- Install during automatic maintenance: Enabled
- Scheduled install day: 0 – Every day
- Scheduled install time: 16:00 (pick a time where most systems will be turned on based on your business)
- Install updates for other Microsoft products: Disabled (You’re using WSUS to control what updates are presented to the systems, including other Microsoft products)
Enable client-side targeting: Enabled
- Target group name for this computer: Workstations
No auto-restart with logged on users for scheduled automatic updates installations: Disabled
Turn off auto-restart for updates during active hours: Enabled
- Active Hours Start: 8 AM (pick a time that is relevant to your business)
- Active Hours End: 6 PM (pick a time that is relevant to your business)
Specify deadline before auto-restart for update installation: Enabled (7 Days)
Configure auto-restart reminder notifications for updates: Enabled (60 Minutes)

Some of you may not like these settings as they ‘allow’ restarts of computers automatically, even with users logged in. Please be aware, Microsoft has changed their viewpoint on updates due to people who ‘never’ restart their computers. Some security updates will only apply after a restart, and since Microsoft’s focus is on security, both Microsoft and I recommend forcing systems to reboot after a certain point. As people upgrade to 1709 and beyond, you will end up regaining more control over the ability to allow users a bit more control over delaying rebooting if necessary to allow for the finishing of computing data.

Change how you think, Change your life! One way to deal with this is to create a new WSUS Group for these systems that you wish to delay these updates on and only approve them to this group in a known update Window, and change their GPO to allow for checking for updates every hour. This way the systems will update quickly, notify the user to let them know that their system updated and will reboot during off hours, and then they have the ability to reboot immediately before starting on a large computing project.

Create a GPO – “WSUS – Servers”

Think about your servers. More than likely you will want to have the server automatically download but not install the updates as you will want to manually install them during your maintenance window. If you are using Windows Defender or any other definition based product from Microsoft, you will want to enable “Allow Automatic Updates immediate installation” of updates that neither interrupt Windows services nor restart Windows.

Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update

Allow Automatic Updates immediate installation: Enabled
Configure Automatic Updates: Enabled
- Configure automatic updating: 3 – Auto download and notify for install
Enable client-side targeting: Enabled
- Target group name for this computer: Servers

You may or may not wish to manually install updates on your servers. If you have a server farm, you would want to create multiple ‘rings’ of schedules and groups. You can then choose to have the systems automatically reboot and approve updates to each ring individually. This way you can setup “Configure automatic updating: 4 – Auto download and schedule the install” and setup the settings appropriate to you, and force the reboot after the install during your maintenance period. If you find that your updates are taking more time than your maintenance window, consider using the “Download express installation files” option which will only deliver to each system the changed files (deltas). This will quicken the download, quicken the install process, and allow you complete within your maintenance window, at the expense of about 3-5 times the amount of disk space on your WSUS Server.

Create a GPO – “WSUS – Workstations, Test – Workstations”

This GPO is just a Target group GPO for the client-side targeting of WSUS. Specify both targets separated by a semi-colon and a space.

Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update
Enable client-side targeting: Enabled
Target group name for this computer: Workstations; Test – Workstations

Create a GPO – “WSUS – Servers, Test – Servers”

This GPO is just a Target group GPO for the client-side targeting of WSUS. Specify both targets separated by a semi-colon and a space.

Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update
Enable client-side targeting: Enabled
Target group name for this computer: Servers; Test – Servers

June 1, 2018

10 Likes