Step 5: Update and Configure Automatic Updates

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server Update Services

WSUS client computers require a compatible version of Automatic Updates. WSUS Setup automatically configures IIS to distribute the latest version of Automatic Updates to each client computer that contacts the WSUS server.

Note

Although most versions of Automatic Updates can be pointed to the WSUS server and they will automatically self-update to the WSUS-compatible version, the version of Automatic Updates included with Windows XP without any service packs cannot update itself automatically. If you have Windows XP without any service packs in your environment, and you have never used Software Update Services (SUS), see the “Deploying Microsoft Windows Server Update Services” white paper for instruction.

The best way to configure Automatic Updates depends upon your network environment. In an Active Directory environment, you can use an Active Directory-based Group Policy object (GPO). In a non-Active Directory environment, use the Local Group Policy object. Whether you use the Local Group Policy object or a GPO stored on a domain controller, you must point your client computers to the WSUS server, and then configure Automatic Updates.

The following instructions assume that your network runs Active Directory. These procedures also assume that you have already set up and are familiar with Group Policy and use it to manage your network. You need to create a new Group Policy object (GPO) for WSUS settings, and link the GPO on the domain level.

For more information about Group Policy, see the Group Policy page at https://go.microsoft.com/fwlink/?LinkID=47375.

Step 5 contains the following procedures:

  • Load the WSUS Administrative Template.

  • Configure Automatic Updates.

  • Point client computers to your WSUS server.

  • Manually initiate detection on the client computer.

Perform the next three procedures on an Active Directory-based Group Policy object.

To add the WSUS Administrative Template

  1. In Group Policy Object Editor, click either of the Administrative Templates nodes.

  2. On the Action menu, click Add/Remove Templates.

  3. Click Add.

  4. In the Policy Templates dialog box, click wuau.adm, and then click Open.

  5. In the Add/Remove Templates dialog box, click Close.

To configure the behavior of Automatic Updates

  1. In Group Policy Object Editor, expand Computer Configuration, expand Administrative Templates, expand Windows Components, and then click Windows Update.

  2. In the details pane, double-click Configure Automatic Updates.

  3. Click Enabled, and then click one of the following options:

    • Notify for download and notify for install. This option notifies a logged-on administrative user prior to the download and prior to the installation of the updates.

    • Auto download and notify for install. This option automatically begins downloading updates and then notifies a logged-on administrative user prior to installing the updates.

    • Auto download and schedule the install. If Automatic Updates is configured to perform a scheduled installation, you must also set the day and time for the recurring scheduled installation.

    • Allow local admin to choose setting. With this option, the local administrators are allowed to use Automatic Updates in Control Panel to select a configuration option of their choice. For example, they can choose their own scheduled installation time. Local administrators are not allowed to disable Automatic Updates.

  4. Click OK.

Note

The setting Allow local admin to choose setting only appears if Automatic Updates has updated itself to the version compatible with WSUS.

To point the client computer to your WSUS server

  1. In Group Policy Object Editor, expand Computer Configuration, expand Administrative Templates, expand Windows Components, and then click Windows Update.

  2. In the details pane, double-click Specify intranet Microsoft update service location.

  3. Click Enabled, and type the HTTP URL of the same WSUS server in the Set the intranet update service for detecting updates box and in the Set the intranet statistics server box. For example, type **https://**servername in both boxes.

  4. Click OK.

Note

If you are using the Local Group Policy object to point this computer to WSUS, this setting takes effect immediately and this computer should appear in the WSUS administrative console in about 20 minutes. You can speed this process up by manually initiating a detection cycle.

After you set up a client computer, it will take a few minutes before it appears on the Computers page in the WSUS console. For client computers configured with an Active Directory-based GPO, it will take about 20 minutes after Group Policy refreshes (that is, applies any new settings to the client computer). By default, Group Policy refreshes in the background every 90 minutes, with a random offset of 0 to 30 minutes. If you want to refresh Group Policy sooner, you can go to a command prompt on the client computer and type: gpupdate /force.

For client computers configured with the Local GPO, Group Policy is applied immediately and it will take about 20 minutes.

Once Group Policy is applied, you can initiate detection manually. If you perform this step, you do not have to wait 20 minutes for the client computer to contact WSUS.

To manually initiate detection by the WSUS server

  1. On the client computer click Start, and then click Run.

  2. Type cmd, and then click OK.

  3. At the command prompt, type wuauclt.exe /detectnow. This command-line option instructs Automatic Updates to contact the WSUS server immediately.