how to enable WUSU service on group policy

I have a big domain with lots of computers. We have several WSUS servers scattered around without good documents. When I checked the group policy management console, it shows I only have one policy enabled for "Windows Update" under "Windows Components" directory.
The enabled policy is called "Allow signed updates from an intranet Midrosoft update service location".  Since I had watched a video introducing the initiate configuration on group policy, it asks me to enable both "configure Automatic updates" and "specify intranet Microsoft update service location" I was wondering if I need do it. Please see the picture and give me some advise.

Jason YuAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

yo_beeDirector of Information TechnologyCommented:
If the image that you posted is the only GPO that has any WSUS settings then your WSUS servers are doing nothing at all.  The reason is that by default clients only call out to Microsoft unless changed by a GPO or manually changing the registry on each client.

When you setup WSUS you need to point all your clients (Servers and Workstations) to one of your many WSUS Servers by configuring Specify intranet Microsoft Update Location GPO setting.
ie. https://server1WSUS:8530 or something similar.  Since you mentioned that there are many sites you want to put a WSUS at each location to limit the number of calls the clients make over your WAN.

You want to setup your host servers is a hierarchy with one of your servers being the only one calling out to the internet for downloading the new updates published and the rest of them pulling from intranet.

So if you have 10 sites thats you what to configure I would recommend  that you build a pyramid that

Server 1 > Downloads from internet
Server 2-4 downloads from  Server 1
Server 5-7 downloads from Server 2
Server 8-10  downloads from server 3

You will then have to build different OU's with the proper settings to point to the correct WSUS.
These OU's will house the Workstations and Servers so they get the proper server that is hosting WSUS.
Seth SimmonsSr. Systems AdministratorCommented:
it asks me to enable both "configure Automatic updates" and "specify intranet Microsoft update service location"

yes, you need both
you need to specify the update behavior; just notify, download and notify, or directly install

you need to specify the wsus server you are using.  for 2008, just put the url of the server
if you have not changed the default port or enabled ssl, then simply putting http://wsusserver.domain.local (replace with your fqdn) is enough.  the above shows port 8530 but only applies as the default for 2012; 2008 uses port 80
Jason YuAuthor Commented:
Hi, yo_bee and Seth, thank you for your help. I am the senior sys admin here and have access to domain group policy editor. If I created the update group policies as Seth suggested. How could I point servers/workstations at different locations to point the WSUS server at their site? In group policy management console, it only let me input on server's address, right?

I took over this position two weeks ago, my predecessor left me a bunch of WSUS servers in different locations, I have to figure out how he connect them and make them work together.

Jason YuAuthor Commented:
I got more settings information, could you guys please take a look?

Thanks in advance.
Seth SimmonsSr. Systems AdministratorCommented:
you would have to group your systems by site since the policy is by OU
if you have one site in chicago and another in houston, have different OU for each one that way chicago systems can use the chicago wsus server and the same with houston

in the wsus console, check downstream servers and see if there is anything there - in case one server pulls in everything and the other servers pull from that first server.  if there are no downstream servers on any of them, then they are all pulling their updates directly from microsoft

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Operating Systems

From novice to tech pro — start learning today.