Body
There are two ways to configure a Windows computer to be a Windows System Update Services (WSUS) client.
- Group Policy Object (GPO)
- Registry
Using a Group Policy Object
A Group Policy Object (GPO) can be used to configure settings on one or more Windows computers to prompt downloading and installing Microsoft updates from the EITS WSUS service.
To use a GPO for configuration, you will need:.
- A z-account in the MSMYID domain that has been delegated administrative access to the Organizational Unit (OU) within the MSMYID domain containing the computers to which you want to apply the GPO. This account should be a z-account and not a regular MyID account.
- An account in the MSMYID domain that is a member of the Group Policy Creator Owners group. This account may be the same one with administrative access to the OU.
- A Windows computer joined to the MSMYID domain that has the Remote System Administration Tools (RSAT) including the Group Policy Management Console (GPMC). You will need to run the GPMC with the administrative access privileges of the z-account mentioned in 1 and 2. Therefore, you must either log into this computer as the z-account, or log in to the computer as a different user and then run the GPMC as the z-account.
- Ensure that the computers you want to be WSUS clients can communicate with the EITS WSUS server on TCP port 8530. If they cannot, you may need to open TCP port 8530 for out-going communication on the Windows Firewall or another firewall that is between your WSUS client computers and the EITS WSUS server.
When you have the required z-account, computer, and tools, you may create a GPO and apply it to the computers that you want to be WSUS clients.
Follow Microsoft's documentation for creating the GPO.
EITS recommends giving your GPOs names that include a unique acronym to identify the department to which the GPO belongs. This will make it easier to locate your GPOs among the many other GPOs and also help others to know who to contact if there are any questions or concerns.
GPO Settings
The following settings are the minimum necessary to use the EITS WSUS server. EITS recommends becoming familiar with other settings, as they may be helpful.
- Configure Automatic Updates
- Specifies whether automatic updates are enabled on this computer. Depending on how you configure it, this setting also schedules the computers to download updates automatically and to install the updates on a specific day of the week and at a specific hour of the day.
- Specify intranet Microsoft update service location
- Specifies an intranet server to host updates from Microsoft Update. To use the EITS WSUS server you need to enter
http://eits-wsus.msmyid.uga.edu:8530 into the boxes labeled Set the intranet update service for detecting updates and Set the intranet statistics server. Leave the Set the alternate download server box empty unless you know you need to use it.
The following GPOs have been created as templates for your reference. They may be found in the GPMC under Group Policy Objects.
- EITS-WSUS-TEMPLATE-DOWNLOAD_UPDATES_ONLY
- EITS-WSUS-TEMPLATE-DOWNLOAD_AND_INSTALL_UPDATES
Applying the GPO
After you have created your GPO, you need to apply it to the computers you want to be clients of the EITS WSUS server.
The computers must be joined to the MSMYID domain. Each domain-joined computer will have a computer object in the domain.
It is generally simplest, but not necessary, for all of the computer objects to be in the same OU.The GPO must be linked to all OUs where the computer objects are located.
Linking the GPO to an OU indicates you want the settings configured in the GPO to be applied to any and all valid objects in the OU and all of its child-OUs. If necessary, you can use Security Filtering in the GPO to more specifically control which computer objects have the GPO applied
The new settings from the GPO will be automatically applied to the computers within an hour or two. The application of the new settings can also be forced from the Command Prompt on a WSUS client computer with the gpupdate /force command.
Note: If you have more than one GPO that configures the same settings, only the setting configurations from one of the GPOs will be applied. There are multiple ways in which the setting configurations that get applied are determined and controlled.
For more information, see Group Policy Preferences, Group Policy Hierarchy, Overriding and Blocking Group Policy, Filtering the Scope of a GPO, and Applying Group Policy.
Using the Registry
A computer can be configured to use the EITS WSUS server by editing the Registry.
Editing the Registry is not recommended because any mistake during the process may result in the computer becoming unusable. If you choose to edit the Registry, EITS recommends making a backup or snapshot of your computer and the Registry before you begin.
Documentation for editing the Registry to use WSUS is supplied by Microsoft here.