Over the previous weeks,  I‘ve posted a series of articles about the configuration options available for the Windows Update Agent, but knowing what those options are is only half the battle. One of the most significant challenges new WSUS Administrators face while implementing WSUS is getting the clients configured to communicate with the WSUS server. In this article, we’re going to walk through the steps necessary to make this happen.

Configure the WSUS Server as a Client

Before you dive down into Active Directory, OrgUnits, and Group Policy, always start with the simplest option – configuring the WSUS Server itself as a client. This provides two notable opportunities:

• Since we’re going to use Local Policy, it eliminates all of the complications that are created by Active Directory and Group Policy.
• Because the WSUS Server is the client, it also eliminates network communications as a complication.

In all of the configuration settings described in previous posts, only one of them is required to configure a system as a client of a WSUS server.

Log onto the WSUS Server as the local administrator and run GPEDIT.MSC.

Navigate to Computer Configuration -> Administrative Templates -> Windows Components -> Windows Update

Specify Intranet Microsoft Update Service Location

Enable this policy and provide the URL of your WSUS server in both fields of the dialog. The URL should be in the form http://servername. You also need to know whether WSUS was installed to port 80 or port 8530. If it was installed to port 8530, there is a virtual directory named “WSUS Administration” in IIS. In this case, the URL should be http://servername:8530. This information is also presented during WSUS installation on a dialog.

Since we’re configuring a server, there is a second setting for which we should specify a non-default setting.

Configure Automatic Updates

Enable this policy and set the dropdown to Option #3 – Auto download and notify for install. This will allow the WSUS server to transfer the installation files for approved updates from the “server” to the “client”, so they’re ready for installation when you choose to actually update the server.

Close the policy editor.

Apply the Policy to the System

Open a Command Prompt and run the command gpupdate /force /target:computer

This will apply the two settings you just configured to the system. Also, because the Windows Update Agent is aware of policy change events, this will automatically trigger an immediate detection event with the WSUS server configured in the URL.

Confirm the Policy Was Applied

One of the most common errors I see in configuring a client is assuming that the policy was applied. There are three ways you can verify policy settings have been applied.

1. Inspect the Registry

Open the Registry Editor, and navigate to HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU

If the policy applied correctly, these five registry values will be present. (There may be others, but they don’t matter at this point.)

• AUOptions – should be ‘3’
• NoAutoUpdate – should be ‘1’
• UseWUServer – should be ‘1’
• WUServer – should be the value you entered in the policy settings dialog (e.g. http://servername or http://servername:8530)
• WUStatusServer – should be identical to WUServer

2. Review the WindowsUpdate.log

At the time you ran the GPUPDATE command earlier, or anytime the Windows Update service is started, these entries of immediate interest will be made to the WindowsUpdate.log:

• The current client version (if a successful connection was made to the WSUS server after applying the policy, the minimum WUAgent version should be v7.6. On Win8/Win2012 systems this will be v7.8.)
• The URL of the WSUS server
• The option chosen in Configure Automatic Updates (Option #3 = “Pre-install notify”)

3. Use the Free SolarWinds Diagnostic Tool for the WSUS Agent

This tool will inspect your registry, display all of the significant values found, and identify if any are inconsistent.

Confirm the WSUS Server Appears in the WSUS Console

Finally, after confirming the system has been properly configured, you should review the WSUS console to verify that the WSUS server is listed in the All Computers group.

Add Other Clients

Okay, so we’re done with the hard part. The easy part is just reproducing the above using Group Policy. The first step in using Group Policy is to understand your Active Directory Organizational Unit structure. The second step is to create a Group Policy Object (GPO). While the WSUS GPO can be linked at the domain level, it’s much more realistic that you will have more than one GPO (desktops, servers) and they will be linked by Organizational Unit. Survey your OrgUnits so that you know where the various  machine types are contained. Also consider additional behavioral configurations of the Windows Update Agent that may drive your need for additional GPOs.

Configure a Group Policy Object

Configuring a GPO is identical to the process you used for configuring the WSUS server via Local Policy, except now instead of using the local policy editor you’ll use the Group Policy Management Console (GPMC) with a domain administrator account. The GPO is hosted on the domain controllers and acquired by a client system when the machine logs onto the domain.

After configuring the GPO you’ll need to link it to one or more Organizational Units, where those OrgUnits hold the machines that are appropriate for the settings in the GPO.

And, like you did for the local policy on the WSUS server, you’ll also need to confirm that the policy is successfully applied by inspecting the registry and/or the WindowsUpdate.log.

Troubleshooting Group Policy

A full discussion on troubleshooting Group Policy issues is beyond the scope of this article, so if you’ve not explored this concept, I would encourage you to do so. If your GPO does not get applied to a client system, this typically happens for one of the following reasons:

• The client system is not joined to the domain.
• The client system is not assigned to the correct Organizational Unit.
• The Group Policy is not linked to the correct Organizational Unit(s).
• A conflicting policy is overriding the settings in your GPO.
• Some other (typically more severe) data communication issue is at work. In these scenarios the client is likely not getting any group policy settings, rather than just not getting the WSUS settings.

Use Policy Management & Monitoring tools

You can also use GPResult or RSOP (Resultant Set of Policy) to verify the policy has been applied. RSOP is useful when you need to troubleshoot why a policy is not being applied, or when conflicting policy settings are being applied. For simply confirming that the right settings have been applied, however, reading the registry or the WindowsUpdate.log is much simpler and faster.

On Thursday (Apr 4) Microsoft announced the forthcoming content for Patch Tuesday – Apr 9, 2013.

You can have Microsoft's security bulletins sent directly to you:

To receive automatic notifications whenever Microsoft Security Bulletins are issued, subscribe to Microsoft Technical Security Notifications.

Microsoft also hosts a webcast where they discuss the releases, typically the Wednesday after Patch Tuesday:

Microsoft will host a webcast to address customer questions on the security bulletins on April 10, 2013, at 11:00 AM Pacific Time (US & Canada).

Register now for the April Security Bulletin Webcast. After this date, this webcast is available on-demand.

You can also follow the MSRC team at @MSFTSecResponse.

Number of Releases: 9

Critical Security Updates: 2 addressing vulnerabilities in Windows and Internet Explorer.

Important Security Updates: 7 addressing vulnerabilities in Windows, InfoPath 2010, Sharepoint Server 2010/2013, Sharepoint Foundation 2010, Groove Server 2010, Office Web Apps 2010, and Windows Defender for Win8/WinRT.

Updates are typically released by Microsoft at 10am PT (6pm UTC).

Configuring WSUS servers to synchronize relative to that time can be helpful in expediting availability of these security updates.

Configuring the Windows Update Agent - Overview

Configuring the Windows Update Agent - General Settings Part 1

Configuring the Windows Update Agent - General Settings Part 2

6. Policies exclusive to WSUS environments

In this section, we’ll look at the three configuration settings that are exclusive to the WSUS environment.

Specify Intranet Microsoft update service location

This setting defines a client as a WSUS client. If this option is Disabled or has never been configured, the client system will use AU/WU/MU for detection. When this option is Enabled, the URL specifies the WSUS server to be used. Only the WUServer value needs to be specified in the setting; the v7.x Windows Update Agents ignore the WUStatusServer value. The WUServer value must be a URL of the form http://nameOfWSUSServer.

Enable client-side targeting

WSUS uses groups to provide approvals to client systems for the installation of updates. Groups must be created in the WSUS console, but membership in those groups can be assigned from the console or by using policy settings. In addition to this policy setting, the Options|Computers dialog in the WSUS console must be set to the correct value. The default configuration is “server-side targeting” and group memberships are managed from the WSUS console. When using server-side targeting, this policy setting should be set to Disabled to ensure clients do not attempt to exert authority over their group memberships. If this policy setting is Enabled, the group(s) that a client is assigned to are defined in the policy setting using a semi-colon delimited list. The client becomes authoritative for these group memberships as configured in the policy setting. Do not specify “All Computers” or “Unassigned Computers” in this setting. The Options|Computers setting must also be set to “Use Group Policy…” so that the WSUS server knows the client is authoritative. This setting also disables the ability to change group memberships from the console.

Allow signed updates from an intranet Microsoft update service location

When a WSUS server is used to distribute locally published updates to client systems, this setting must be Enabled to permit the WUAgent to validate the packages using an alternate code-signing certificate (one not issued by the Microsoft WU infrastructure).

Configuring the Windows Update Agent - Scheduled Installations

Configuring the Windows Update Agent - Overview

5. WUA General Settings

The first group of settings to be familiar with are the general settings. These settings apply to all systems regardless of how they obtain updates. While generally not used for non-WSUS clients, it’s important to know that Automatic Updates (AU) clients can be configured, and these settings actually predate the creation of SUS/WSUS.

Configure Automatic Updates

On non-WSUS systems, this value is typically configured at installation, or by a user via the Control Panel. The setting provides five valid options which determine how updates are downloaded and installed. The options are:

• Option 1: Not used
• Option 2: Notify before download / Notify before installation
• Option 3: Download automatically / Notify before installation
• Option 4: Download automatically / Schedule installation
• Option 5: Allow local administrator to choose the configuration

Automatic Updates Detection Frequency

This value specifies how often the system checks for updates. The default value is 22 hours, but this value includes a random negative offset of 0-20%. So in actuality, the system checks every 17.6-22 hours, and the interval varies with each detection event. The most significant factor in setting this value is to make it consistent with your WSUS server synchronization schedule. If your WSUS server only synchronizes once per day, there’s minimal value in changing this value from the default; however, if your WSUS server is synchronizing multiple times per day, having the client check in more often can be quite useful. Do not set this value to 1 hour. While it is a valid value that may be useful for limited diagnostic purposes, a regular 1-hour detection interval will interfere with the expiration of the targeting cookie (which has a 60-minute time-to-live).

Do Not Display “Install Updates and Shutdown” Option

The default behavior is to always present this feature when applicable. The setting allows the option to be removed from the shutdown menu. On Windows 7 and Windows Server 2008 R2 systems with Service Pack 1, the user no longer has a menu choice – installation of updates is forced upon the user when executing a shutdown from the Start Menu. (The installation can be bypassed by launching a shutdown from the command line using shutdown /s /t 0.) The setting can be configured either as a computer option (affecting all users) or a user option (only affecting domain users). Implementing it as a user option can be effectively used to override the behavior for regular domain users, but still allow launching of the capability via a local account.

Do Not Adjust Default Option to “Install Updates and Shutdown”

This setting preserves the existence of the option to install updates at shutdown but does not display it as the default option. The setting is really only relevant on Windows XP/2003 systems where the dialog box presents a dropdown menu of choices. As noted previously for Windows 7/2008R2 SP1 systems, this is the only option presented via the Start Menu. On Vista/2008 SP2 systems, the options are presented as a fly-out menu. Like the setting to suppress the option, this setting can be configured either as a computer option or a user option.

Configuring the Windows Update Agent - General Settings Part 2

Configuring the Windows Update Agent - WSUS Settings

1. What is the Windows Update Agent (WUA)

2. Methodologies: Policy vs. Registry

3. General Considerations

• The Policy settings and registry values that we will discuss in this article are documented in the WSUS Deployment Guide. Except where expressly noted, all policy settings are found in the Computer Configuration\Administrative Templates\Windows Components\Windows Update node of the policy editor. In the interests of brevity, all future policy setting references will be identified as one of the following:
  • ComputerTemplates- \Computer Configuration\Administrative Templates

• All WUA computer policy settings are manifested in one of these two registry keys:
  • HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate
  • HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU
• All WUA user policy settings are manifested in one of these two registry keys:
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\WindowsUpdate

4. WUA default behavior

• Checks for updates from Automatic Updates every 17.6-22.0 hours.
• Downloads updates automatically upon detection of availability and schedules the installation to occur at 3am the next day.
• Restarts the system five minutes after the completion of the installation.
• If the system is powered off at 3am, the downloaded updates are automatically installed the next time the system is powered on.
• On Windows XP and Windows Server 2003 systems, if the logged-on user has administrative privileges, that user can
  • Select which updates to install.
  • Initiate the installation of updates before the scheduled installation time.
  • Choose whether to reboot the system after the installation is completed, or reboot the system later. If later is chosen, the user is re-prompted every 10 minutes until the user chooses to reboot the system, or the user logs off. If the user logs off, the reboot occurs within 10 minutes.
• On Windows Vista and all newer systems, all users have privileges to select which updates to install, when they are installed, and whether the system is restarted after installation.