Windows computers connection to WSUS server

I am planning to install and configure WSUS server for windows updates. I would like to know how windows computers connect to WSUS server.
I know that all windows computers have windows update service installed by default when the system is installed, but how do they connect to WSUS server? is there any configuration on WSUS server to make computers show up under All Computers node in WSUS console?

Any help will be very much appreciated.

Thank you
jskfanAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Cliff GaliherCommented:
Yes, you must inform windows update that there is a WSUS server. You can either do this by changing registry settings on each client, or you can use group policies to centrally push out the necessary changes. This is covered in the WSUS deployment guide on TechNet. I personally recommend group policy.
0
Seth SimmonsSr. Systems AdministratorCommented:
Use group policy to define your WSUS server and how you want windows update to behave and it will propagate to all servers in the OU you apply the policy to.

http://technet.microsoft.com/en-us/library/cc720539%28v=ws.10%29.aspx
0
jskfanAuthor Commented:
- Ok...I guess for all computers to report to WSUS , I need to link a GPO to the the domain and all I need in the Policy settings is to enable  "Specify Intranet Microsoft Update service Location" and type "Http://myWSUSserver.domainname.local"
Correct?

- Now after all computers show up in WSUS console in "All computers" I can move them to  specific groups (assuming I have already created groups in WSUS console).
correct ?

- Now how do I set up GPOs for each WSUS group from GPMC, since in our AD we have all servers  under OU named  ServerOU.?

- in My environment I need to deploy just OS related updates no application updates such as SQL or Exchange or Sharepoint. I know when you install WSUS server , the wizard will give you option to select which updates the WSUS will lookup for and download from Microsoft. In my case the WSUS server is already install, so how do I go back and select/deselect the updates that I want my WSUS server to lookup for ?

Thank you
0
Newly released Acronis True Image 2019

In announcing the release of the 15th Anniversary Edition of Acronis True Image 2019, the company revealed that its artificial intelligence-based anti-ransomware technology – stopped more than 200,000 ransomware attacks on 150,000 customers last year.

Seth SimmonsSr. Systems AdministratorCommented:
1) yes...specify the url to the server where wsus resides

2) yes...you can move to different groups as needed

3) the wsus configuration is by the GPO applied to the OU; not the wsus group itself

4) in the wsus console, click options on the left and products and classifications on the right then check/uncheck as needed.  operating systems are about 3/4 the way down the list

a couple other things i like to do...in the GPO, you can configure the automatic updates as to how to handle updates (download and install, notify and install, etc.) and at what time of day.  you can also select how often to check for updates (automatic updates detection frequency) so you can have clients check for updates every 4 hours (or other value) if you wanted.  also you can enable client-side targeting.  this specifies what wsus group systems go into.  if you only have 1 OU, then defining this would put all those systems in the same wsus group.  if you have 1 OU and want multiple wsus groups to organize, then leave it blank and you can manage manually in the console
0
jskfanAuthor Commented:
Servers are already in one OU and have some other GPOs linked to that OU, this is why I do not want to put them in separate OUs that correspond to WSUS groups.


I do not understand what you said here:

<<if you have 1 OU and want multiple wsus groups to organize, then leave it blank and you can manage manually in the console>>

what should I leave blank ? and  how can I manage that manually in the WSUS console.?

If I understand you, I need to select an update and deploy it to a WSUS group, that might make sense, but how to schedule it and tell it restart after the updates have been installed at certain time without GPO?

Thanks
0
Seth SimmonsSr. Systems AdministratorCommented:
when you change the settings in the GPO, you are specifying all for that OU go in that one wsus group.  for example, if things were geographically dispersed and you had an OU for each physical site, you could match that in wsus by having corresponding groups then just define in the GPO for each site.  in your case they are all in one OU so specifying a group in wsus will put in the same group but you can move after.

or, just do it manually (easier if you don't have a lot to manage) by right clicking on a computer and move to a different group
0
jskfanAuthor Commented:
I understand that I can move computers manually from "All Computers" group in WSUS console to specific groups in WSUS console.

However, if I want to set up specific GPOs settings for each group, then how can I do that in GPMC without creating separate OUs in AD that correspond to WSUS groups and create GPOs settings for MS Updates to be applied to computers in each OU.?

So , My plan is after creating separate groups in WSUS, for instance:

Sunday Reboot
Wednesday Reboot
...
...
etc..

How can I set up GPO when having all my servers in one OU in Active Directory ?

Thanks
0
wynandkunkelCommented:
Hi jskfan,

The groups in AD and in WSUS are completely independent of each other.  I do the following with all my clients:

Create a single GPO that in effect just points the clients to the WSUS server, and link that GPO to the root of the domain (i.e. same as the default domain group).

Within WSUS then create the required different groups (as per customer requirements) and move the devices within WSUS to the different groups.

Wynand
0
jskfanAuthor Commented:
Then how do you schedule your WSUS groups to download and install updates at different times.

for instance :
Group1 : schedule them to install updates/reboot on Saturday 3 am
Group2 : schedule them to install updates/reboot on sunday 2 am
etc...
0
wynandkunkelCommented:
Hmmm... hehehe... I completely misread...

Here's is what I would do with regards to the question: "is there any configuration on WSUS server to make computers show up under All Computers node in WSUS console?"  Create a GPO that just points the Windows Update Agents to the onsite or selected WSUS server, with the setting "Auto download and notify for install" and link this to the domain.  This gives basic protection so that any new machine on the AD immediately is configured to point at the WSUS server, although manual administrative action is needed, and the WSUS reports will alert you to the fact that the PC is in need of a reboot (i.e. awaiting reboot).

With regards to the scheduled reboots per group I would rather then additionally create AD Security Groups (e.g. Reboot_Saturday, Reboot_Sunday etc.) and make the relevant computers members of the group.  (Periodically as and when WSUS system is maintained, newly joined computers would then also be added to the correct Security Group.)

I would then create multiple GPO's which would be identical except the scheduled install day, reboot time and security group to which it is applicable.  These would also be linked to the domain.

You "might" have fiddle with the GPO link order, but I think this would satisfy the question "Then how do you schedule your WSUS groups to download and install updates at different times."
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jskfanAuthor Commented:
GPO By security groups may do it...Thanks
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.