Configuring WSUS clients locally

Keeping your workstations up to date with all of the latest
updates and security patches is vital. This becomes problematic when you have
to support dozens or hundreds of workstations. Microsoft has made it much
easier by creating Windows Server Update Services.

Implementing a Windows Server Update Services (WSUS)
infrastructure requires you to install and configure a WSUS server. Once this
is complete, you then need to configure the client computers on your network to
point to the WSUS server. This entails deploying the required software on the
network and configuring the required settings. Here’s how to configure Windows
XP to access patches on a WSUS server.

Author’s Note

In this article I will outline how to configure a computer
running Windows XP Professional to obtain updates from a WSUS server on the
local network. The article assumes that you have already installed and
configured a WSUS server.

Configuring clients for automatic updates

In order to implement a WSUS infrastructure a compatible
version of Automatic Updates must be installed on the client computers. The updated software, referred to as the WSUS
client, allows clients to download the updates from a WSUS server instead of
using the Windows Update.

The updated version of Automatic Updates can run on any of
the following platforms:

  • Microsoft Windows 2000 Professional with SP3 or
    later
  • Microsoft Windows XP Professional
  • Microsoft Windows Server 2003 (All editions)

Installing a compatible version of automatic updates

The process that is use to install the WSUS client will
depend on the operating system and service pack version that is installed on
client computers. If all clients are running Windows XP Professional with Service
Pack 2, no installation is required because the WSUS client is already
installed.

If client computers are not running Service Pack 2, or they
are running a different version of Windows, the WSUS client can be installed
through self-update. When WSUS is installed, IIS is automatically configured to
distribute the updated version of Automatic Update when each client computer
contacts the WSUS server. The self-update method is supported by the following
clients:

  • Windows 2000 with SP3 or SP4
  • Windows XP with SP1 or SP2
  • Windows Server 2003

The self-updating client software is not available if client
computers are running Windows XP with no service packs. Assuming that there is
not a Software Update Services (SUS) server on the network already, you must
first install the SUS client software on the computers. This will add the
self-updating client software. When the client connects to the WSUS server, the
SUS client will be updated to the WSUS server.

The SUS client software (WUAU22.msi) can be downloaded from
the Microsoft
Web site
. You can deploy the
software locally on each client computer or it can be deployed from a central
location using Active Directory. The
following steps outline how the client can be deployed using a group policy
object:

  1. Click
    Start, point to Administrative Tools, and click Active Directory Users And
    Computers.
  2. Right
    click the appropriate organizational unit and click Properties.
  3. From
    the Group Policy tab, select an existing GPO and click Edit or click New
    to create a new GPO.
  4. Under
    Computer Configuration, select Software Settings as shown in the figure.

Figure A

Deploying the SUS client through group policy

  1. Right
    click Software Installation, point to New, and click Package.
  2. Locate
    the WUAU22.msi file and click Open.
  3. The
    Deploy Software window appears. Click Assigned and click OK.

Configuring automatic updates

Once the updated version of Automatic Updates has been
deployed to client computers, you can configure the client software. The
settings can be configured through the Local Security Policy on each computer
or if your network uses Active Directory, you can deploy settings using group
policy.

Using Active Directory to configure WSUS clients

Before you can deploy any settings through a Group Policy
Object (GPO) you must first load the Automatic Update policy settings. This
should be done when Software Update Services is installed. If not, open the
appropriate GPO, under the Computer Configuration or User Configuration, right
click the Administrative Templates folder and click Add/Remove Templates. Click
Add and locate the Automatic Updates ADM file (wuau.adm) which is located in
the Windows\inf directory. Select the adm file and click Open.

You can find the Windows Update settings within a GPO by
navigating to Computer Configuration/ Administrative Templates/ Windows
Components/ Windows Update folder. Within the details pane, double click
Configure Automatic Updates and click Enabled. The details pane will display
the options listed below:

  • Configure Automatic Updates
  • Specify Intranet Microsoft update service
    location
  • Enable client-side targeting
  • Reschedule Automate Update scheduled
    installations
  • No auto-restart for scheduled update
    installation options
  • Automatic Update detection frequency
  • Allow Automatic Update immediate installation
  • Delay restart for schedule installations
  • Re-prompt for restart with scheduled
    installations
  • Allow non-administrators to receive update
    notifications
  • Remove links and access to Windows Update
  • At a bare minimum, you need to configure the first two
    options to enable Automatic Updates and point the client computers to the WSUS
    server. The first setting, Configure Automatic Updates, is used to enable or
    disable automatic updates. If it is enabled you can select one of the following
    settings as to how updates are downloaded and if the administrator is notified:

    • Notify for download and notify for install – A
      logged on administrative user will be notified before updates are downloaded
      and again before updates are installed.
    • Auto download and notify for install (this is
      the default) – Updates are automatically downloaded. A logged on administrative
      user is notified before updates are installed.
    • Auto download and schedule the install – Updates
      are automatically downloaded and installed on a pre-configured schedule.
    • Allow local admin to choose setting – Local
      administrators are permitted to configure their own settings using the
      Automatic Updates setting in the Control Panel.

    You also need to point the client computers to the WSUS
    server on the network. This can also be done through the Windows Update
    container within a GPO. Double click the Specify intranet Microsoft update
    service location option and click Enabled. In the Set update service for
    detecting updates field, type in the Universal Resource Locator (URL) to the
    WSUS server. Type in the same URL in the Set the intranet statistics server
    field.

    The WSUS settings configure through the GPO will now be
    automatically deployed to the client computers. Group policy settings are
    automatically refreshed at a certain interval so the changes may not take
    effect immediately. To manually refresh the settings, use the gpupdate /force
    command on the client computers. The remaining settings that can be configured
    through a GPO are:

    • Enable client-side targeting
      This setting is used to enable client computers to self-populate computer
      groups that exist on the WSUS server.
    • Reschedule Automate Update scheduled
      installations
      – This setting is used to define how long to wait after
      system startup before proceeding with an installation when a scheduled
      install has been missed. If this option is disabled, the installation will
      occur at the next scheduled day and time.
    • No auto-restart for scheduled update
      installation options
      – This setting is used to configure whether or
      not the computer is automatically restarted after an update is installed.
      If this option is enabled, the user currently logged in will be notified
      to restart the computer.
    • Automatic Update detection frequency –
      This setting defines the frequency at which Windows will check for
      available updates.
    • Allow Automatic Update immediate
      installation
      – This setting defines whether updates that do not
      interrupt Windows services or restart Windows should be installed
      automatically.
    • Delay restart for schedule
      installations
      – This setting will determine how long Automatic Updates
      will wait before performing a scheduled restart.
    • Re-prompt for restart with scheduled
      installations –
      This setting will determine how long Automatic Updates
      will wait before prompting a user for a scheduled restart.
    • Allow non-administrators to receive
      update notifications
      – This setting will determine whether
      non-administrative uses receive update notifications.
    • Remove links and access to Windows
      Update
      – This setting removes the Windows Update icon from the Start
      menu.

    Configuring WSUS clients locally

    As already mentioned Automatic Updates can also be
    configured locally if your network does not use Active Directory. This can be
    done by editing the Local Group Policy object with the Group Policy editor or
    by creating and editing various registry entries.

    You can open the Local Group Policy Object in Windows XP by
    clicking Start and clicking Run. Type in gpedit.msc
    and click OK. The Group Policy editor will appear. Navigate to Computer
    Configuration/ Administrative Templates/ Windows Components/ Windows Update as
    shown in Figure B. The details pane will display the same settings that were
    outlined in the previous section.

    Figure B

    Configuring automatic updates through the Local Group Policy Object

    Finally, you can also configure the WSUS client settings
    through the local registry. This requires you to create several registry keys,
    some of which are outlined in the table below.

    Registry Entry

    Description

    UseWUServer

    This option is used to specify whether
    a WSUS server is used. Setting the value to 1 indicates the client will download
    updates from a WSUS server.

    AUOptions

    This option is used to
    configure how updates are downloaded and whether administrators are notified.
    The possible values are 2 (notify of download and installation), 3
    (automatically download and notify of installation), 4 (automatic download
    and scheduled installation), or 5 (Automatic Updates is required, but end
    users can configure it).

    ScheduledInstallDay

    This option specifies the day
    of the week that updates will be installed. The values range from 0-7 where 0
    indicates every day and 1-7 indicates specific days of the week where 1 =
    Sunday and 7 = Saturday.

    ScheduledInstallTime

    This option specifies the time
    of day that installs will take place. The value is specified in 24 hour
    format.

    RescheduleWaitTime

    This defines how long to wait
    after restarting to computer for a missed scheduled install to take place.
    The value is specified in minutes (1-60).

    NoAutoRebootWithLoggedOnUsers

    This option specifies whether
    the computer is automatically restarted after an update is installed. Set
    this value to 1 to enable the logged on user to choose whether or not to
    reboot their computer.

    NoAutoUpdate

    This option is used to enable
    or disable automatic updates.

    WUServer

    This option is used to specify
    which SUS server the client will retrieve updates from. The SUS server is
    identified by HHTP name.

    WUStatusServer

    This option is used to specify
    where clients will send status information. The server is identified by HTTP
    name.

    Keeping up-to-date

    In order to implement a Windows Server Update Services
    infrastructure, client computers must be configured to obtain updates from the
    WSUS server on the network. After the updated version of Automatic Updates is
    installed on client computers, Automatic Updates settings can be deployed to
    client computers using group policy or they can be configured locally.