Q: What are the core Group Policy settings I need to set in my environment to use an internet Windows Server Update Services server?
A. To use an internal WSUS server, it's necessary to configure clients with automated update settings and also configure which server to communicate with. Additionally, you can configure the clients to be a member of a specific WSUS computer group if you're deploying patches in WSUS based on computer group targets.
Follow the instructions below to configure your Group Policy Object (GPO) and make sure you link it at the domain or OU that contains the computers you want to configure. If you have multiple computer groups, you might have different GPOs that define different computer groups and link those policies to different OUs.
- Open the Group Policy Management console, and open an existing GPO or create a new one.
- Navigate to Computer Configuration, Policies, Administrative Templates, Windows Components, Windows Update.
- Double-click Configure Automatic Updates and set to Enabled, then configure your update settings and click OK.
- Double-click Specify intranet Microsoft update service location and set to Enabled, and set the URI of your WSUS server. If you selected the defaults this will be http://
:8530--for example, http://savdalwsus01.savilltech.net:8530. Enter this in both text entry boxes and click OK. - If you want to configure a computer group, double-click Enable client-side targeting, set to Enabled, and enter the target group name that exactly matches one defined in WSUS, then click OK.
- Close the Group Policy Management Editor.
Refresh policy on your client machines that are in the domain or OU linked for the GPO, and they will have the new settings. Once the policy has been applied, opening the Windows Update control panel applet will show settings have been configured by the administrator. Below is an image of the policy items that should be set in your GPO.
