Step 5: Configure Automatic Updates

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server 2008, Windows Server Update Services

WSUS client computers require a compatible version of Automatic Updates. WSUS Setup automatically configures IIS to distribute the latest version of Automatic Updates to each client computer that contacts the WSUS server.

The best way to configure Automatic Updates depends on your network environment. In an environment with Active Directory, you can use a domain–based Group Policy object (GPO). In an environment without Active Directory, use the Local Group Policy object. Whether you use the Local Group Policy object or a domain-based GPO, you must point your client computers to the WSUS server, and then configure Automatic Updates.

The following instructions assume that your network runs Active Directory. These procedures also assume that you are familiar with Group Policy and use it to manage your network. You need to create a new GPO for WSUS settings, and link the GPO to the domain.

For more information about Group Policy, see the Group Policy Tech Center Web site (https://go.microsoft.com/fwlink/?LinkID=47375).

Step 5 contains the following procedures:

  • Add the WSUS Administrative Template.

  • Configure Automatic Updates.

  • Point your client computer to your WSUS server.

  • Manually initiate detection by the WSUS server.

Perform the first three procedures on a domain–based Group Policy object. You will need to create a new GPO or use an existing GPO. If you are using Group Policy Management Console (GPMC) to manage your GPOs, navigate to the GPO you wish to modify, and then click Edit.

In order to view policy settings to manage WSUS, you will need to ensure that the WSUS administrative template file, wuau.adm, is added to Group Policy Object Editor. Because wuau.adm is released by default in the operating system, it should already be present in Group Policy Object Editor.

To add the WSUS Administrative Template

  1. In Group Policy Object Editor, click either of the Administrative Templates nodes.

  2. On the Action menu, click Add/Remove Templates and then click Add.

  3. In the Policy Templates dialog box, click wuau.adm, and then click Open.

  4. In the Add/Remove Templates dialog box, click Close.

To configure Automatic Updates

  1. In Group Policy Object Editor, expand Computer Configuration, expand Administrative Templates, expand Windows Components, and then click Windows Update.

  2. In the details pane, double-click Configure Automatic Updates.

  3. Click Enabled, and then click one of the following options:

    • Notify for download and notify for install: This option notifies a logged-on administrative user before the download and before the installation of the updates.

    • Auto download and notify for install: This option automatically begins downloading updates and then notifies a logged-on administrative user before installing the updates.

    • Auto download and schedule the install: If Automatic Updates is configured to perform a scheduled installation, you must also set the day and time for the recurring scheduled installation.

    • Allow local admin to choose setting: With this option, local administrators are allowed to use Automatic Updates in Control Panel to select a configuration option of their choice. For example, they can choose their own scheduled installation time. Local administrators are not allowed to disable Automatic Updates.

  4. Click OK.

Note

The setting Allow local admin to choose setting appears only if Automatic Updates has updated itself to the version compatible with WSUS.

To point your client computer to your WSUS server

  1. In Group Policy Object Editor, expand Computer Configuration, expand Administrative Templates, expand Windows Components, and then click Windows Update.

  2. In the details pane, double-click Specify intranet Microsoft update service location.

  3. Click Enabled, and type the HTTP URL of the same WSUS server in the Set the intranet update service for detecting updates box and in the Set the intranet statistics server box. For example, type https://servername in both boxes, and then click OK.

Note

If you are using the Local Group Policy object to point this computer to WSUS, this setting takes effect immediately and this computer should appear in the WSUS administrative console after a short time. You can speed up this process by manually initiating a detection cycle.

After you set up a client computer, it will take a few minutes before it appears on the Computers page in the WSUS console. For client computers configured with a domain-based Group Policy, it will take about 20 minutes after Group Policy refreshes (that is, applies any new policy settings to the client computer). By default, Group Policy refreshes in the background every 90 minutes, with a random offset of 0–30 minutes. If you want to refresh Group Policy sooner, you can go to a command prompt on the client computer and type: gpupdate /force.

For client computers configured with the Local GPO, Group Policy is applied immediately, and the refresh will take about 20 minutes.

After Group Policy is applied, you can initiate detection manually. If you initiate detection manually, you do not have to wait 20 minutes for the client computer to contact WSUS.

To manually initiate detection by the WSUS server

  1. On the client computer, click Start, and then click Run.

  2. Type cmd in the Open box, and then click OK.

  3. At the command prompt, type wuauclt.exe /detectnow. This command-line option instructs Automatic Updates to contact the WSUS server immediately.