Step 5: Update and Configure the Client Computers

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server Update Services

WSUS client computers must be running a version of Automatic Updates that is compatible with WSUS. WSUS Setup automatically configures IIS to distribute the latest version of Automatic Updates to each client computer that contacts the server.

Also, the default Web site on Windows SBS 2003 must be modified to enable WSUS client computers to self-update. The WSUS server setup installs two vroots, SelfUpdate and ClientWebService, and some files under the home directory of the default Web site (on port 80). This enables client computers to self-update through the default Web site. By default, the default Web site is configured to deny access to any IP address other than localhost or specific subnets attached to the server. This means that client computers that are not on localhost or on those specific subnets cannot self-update. To grant access to these client computers, complete the following steps on the default Web site’s SelfUpdate and ClientWebService virtual directory.

To grant access to the client computers to self-update

1. In Server Management, expand Advanced Management, expand Internet Information Services, expand Web Sites, expand Default Web Site, right-click the Selfupdate virtual directory, and then select Properties.

2. Click Directory Security.

3. Under IP address and domain name restrictions, click Edit, and then click Granted Access.

4. Click OK, right-click the ClientWebService virtual directory, and then select Properties.

5. Click Directory Security.

6. Under IP address and domain name restrictions, click Edit, and then click Granted Access.

Because that WSUS client computers update themselves automatically, you only need to configure and point client computers to the WSUS server. To configure Automatic Updates, create a new Group Policy object (GPO) for WSUS settings and then link that GPO on the domain level. Next, add all of your WSUS settings by editing the GPO you just created.

For more information about Group Policy, see the Microsoft Web site at https://go.microsoft.com/fwlink/?LinkID=47375.

Step 5 contains the following procedures:

• Create and link a GPO on the domain level.

• Configure Automatic Updates.

• Point client computers to your WSUS server.

• Disable auto-restarts for scheduled update installations (optional).

• Manually initiate detection on the client computer (optional).

To create and link a GPO on the domain level, and then open the new GPO in Group Policy Object Editor

1. In Server Management, expand Advanced Management, expand Group Policy Management, expand Forest, expand Domains, and then click your Windows SBS domain.

   

2. Right-click your Windows SBS domain, and then select Create and Link a GPO Here.

3. In the Name box, type WSUS, and then click OK.

4. Right-click the new WSUS GPO, and then click Edit.

   

The following policy setting configures Automatic Updates to install updates on a schedule. You must enable this policy setting.

To configure the behavior of Automatic Updates

1. In Group Policy Object Editor, expand Computer Configuration, expand Administrative Templates, expand Windows Components, and then click Windows Update.

2. In the details pane, double-click Configure Automatic Updates.

3. Click Enabled, and then select Auto download and schedule the install.

4. Accept the default values for when installations should take place (every day at 3 AM), and then click OK.

The following policy setting configures Automatic Updates to use your WSUS server. You must enable this policy setting.

To point the client computer to your WSUS server

1. In Group Policy Object Editor, expand Computer Configuration, expand Administrative Templates, expand Windows Components, and then click Windows Update.

2. In the details pane, double-click Specify intranet Microsoft update service location.

3. Click Enabled, and then type the HTTP URL of the same WSUS server in the Set the intranet update service for detecting updates box and in the Set the intranet statistics server box. For example, type **https://**sbs-servername:8530 in both boxes.

4. Click OK.

The following policy setting prevents Automatic Updates from restarting the computer automatically if an update requires it. If you enable this policy setting, be aware that an update that requires a restart cannot take effect until you manually restart the computer. This policy setting is optional.

To disable automatic restart for scheduled update installations

1. In Group Policy Object Editor, expand Computer Configuration, expand Administrative Templates, expand Windows Components, and then click Windows Update.

2. In the details pane, double-click No auto-restart for scheduled Automatic Updates installations.

3. Click Enabled, and then click OK.

You have to wait for Group Policy to refresh for the settings to take effect. By default, Group Policy refreshes in the background every 90 minutes, with a random offset of 0 to 30 minutes. If you want to refresh Group Policy sooner, you can go to a command prompt on the client computer and type: gpupdate /force.

After Group Policy refreshes, it can take up to 20 minutes before client computers appear on the Computers page in the WSUS console. If you initiate detection manually, you do not have to wait 20 minutes for the client computer to contact WSUS.

To manually initiate detection by the WSUS server

1. On the client computer click Start, and then click Run.

2. Type cmd, and then click OK.

3. At the command prompt, type wuauclt.exe /detectnow. This command-line option instructs Automatic Updates to contact the WSUS server immediately.