Enabling Clients to get updates from the local server Using Group Policies on 2003/2008 Server

Note :- for these policies to take effect the client has to be restarted. Create a separate policy for WSUS, DO NOT use the Default Policies
1) Create a new GPO
[Do not edit the default Domain Controller Policy or Default Domain Policy]
2) Edit the newly created GPO

  • Log into the server and open "Group Policy Management"
  • open Group Policy Management -> Forest: "Forest Name" -> Domains -> "Domain Name" ->
  • Right Click on Group Policy Objects, Select "New" -> Select a name for your "New Group Policy" and leave the source starter GPO as "None", Click on Ok. 
  • Select the New policy that you created, right click on it and click "Edit"
  • Select Computer Configuration -> Administrative templates -> Policies -> Windows Components -> Windows Update
    • 3rd option on the right side of the window "Configure Automatic Updates", Select Enable, select the settings according to your preference, click on Next Setting
    • "Specify Intranet Microsoft Update Service Location" -> type http://servername or http://servername:8530
    • "Auto Updates Detection Frequency", Click on "Enable" set interval(hours) e.g. 10
    • "Allow automatic Updates Immediate Installation", Select Enable.
    • "No Auto-restart with users loged on for Scheduled Automatic Updates Installations", Select Enable.
    • "Re-Prompt for restart with scheduled installation Properties", Select Disable.
    • "Enable Client Side Targeting", Enable and Select a group name which is already present on the WSUS server you want the computers to appear under.
    • Select Apply, Click on OK.
    • after doing all this
3)Specify the Security Filtering for this newly created GPO to the specific Computer or Groups or Users you want it to reflect
4) Link this newly created GPO in your Domain and make it Enforced
5) Restart (may or may not be required) the client machine to which you have set this GPO
6) Login to the client machine and now check the registry settings in the client machine

Process to verify Group Policies Updates

  • go to start -> run and type "regedit" after that select on the right side of the window browse to the following location "My Comouter -> HKEY_LOCAL_MACHINE -> Software -> Policies -> Microsoft -> Windows -> WindowsUpdate"

And check its values,

  • Go to Start -> Run type "cmd" and type "gpresult" to see which policies are currently in use on the client.
  • The TargetGroup, WUServer and WUStatusServer should have the values you set in your GPO
  • So, being said that all are good, now check whether you have set Windows Update to Automatic mode, if not, set it and then Check For Updates. You may be prompted an update to the Windows Update, install it.
  • Now, go to your server, fire up WSUS Administration Console and go to,
Update Services -> Server -> Computers-> All Computers
  • Check whether you can actually see the Computer in which you have set up the Intranet Update Service. If you cannot see,wait for sometime, something will appear there, lol (you may have to Refresh it).
If you see your Computer, but then if it tells your that its status is not yet reported, then, run this on the client Computer (on the command prompt),
  • go to start -> run -> type "cmd" and then type "wuauclt /resetauthorization /detectnow" (without the quotes)
  • You should now be able to view your computer in the WSUS Administration Console

No comments:

Post a Comment