?
Solved

Need to have users computers get their windows updates from our SUS server

Posted on 2016-10-17
17
Medium Priority
?
53 Views
Last Modified: 2016-10-21
I have a SUS server setup and now I need to know where in the Group Policy I can push out to all of the users computers, so that they they get their updates from our SUS server and not from Microsoft site..
Can anyone tell me where this is on the Group Policy and what I need to set?
0
Comment
Question by:vmich
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
17 Comments
 
LVL 23

Expert Comment

by:yo_bee
ID: 41846675
Check to see if you have Computer Configuration\Administrative Templates\Windows Components\Windows Update..  If not you will need to download the ADM file and add it to your GP.
 
Here is the TechNet that you should follow.
You will need to add WSUS ADM file to your system
https://msdn.microsoft.com/en-us/library/dd939933(v=ws.10).aspx
https://technet.microsoft.com/en-us/library/cc720539(v=ws.10).aspx
0
 
LVL 17

Expert Comment

by:Ivan
ID: 41846676
Hi,

settings can be found in Computer Configuration --> Policies --> Administrative Templates --> Windows Componenets --> Windows Update
In there, 2 options that you must set are:
1. Configure Automatic Updates
2. Specify intranet Microsoft Update service location --> this is your wsus server

You can off course configure additional options, but those 2 are must.

Regards,
Ivan.
0
 
LVL 7

Accepted Solution

by:
No More earned 2000 total points
ID: 41846687
You need to create groups on WSUS server, 1 group for user computers and 1 for servers

Then Group policy:

Computer Policy\Administrative Templates\Windows Components\Windows Update

1, Specify Intranet Microsoft Update Service Location     \\yourWSUSserver
2, Enable Client-Side Targeting       Users computers   (Set up on WSUS)

There are few more options , which are up to you
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 1

Author Comment

by:vmich
ID: 41846698
can this be done also just via the SUS server and not via the GP or does it have to be setup in the GP also?
0
 
LVL 7

Expert Comment

by:No More
ID: 41846703
Group Policy  has to be set / aplied to computers to make this work
0
 
LVL 1

Author Comment

by:vmich
ID: 41846715
Ok just so I am 100% sure on this, even though I setup the SUS side and have computers showing up in there, I have to still enable the GP piece also for this to work correct, not just setting up the SUS side correct?
0
 
LVL 7

Expert Comment

by:No More
ID: 41846725
Specify Intranet Microsoft Update Service Location = Is a must
this tuns on "Download Updates From Wsus"
0
 
LVL 1

Author Comment

by:vmich
ID: 41846728
Ok will check it out.
Thanks
0
 
LVL 7

Expert Comment

by:No More
ID: 41846730
Also don't forget It will download only those updates you Aprove
0
 
LVL 1

Author Comment

by:vmich
ID: 41846738
Ok
0
 
LVL 1

Author Comment

by:vmich
ID: 41847049
David,
Just an update..
I have checked a couple computers and they do have the registry entry(WUServer and WUStatusserver) with the name of our SUS server on them but we don't have anything setup via GPO just via the SUS server itself.
Also when I check the computer policy on these same computers, they don't show anything enabled meaning nothing from a GP.
Is there anyway to tell if these workstations are getting their updates via Microsoft web site and not our SUS?
0
 
LVL 7

Expert Comment

by:No More
ID: 41847083
I actually think by default it's that way unless you change settings in WSUS

WSUS : Options - Computer

By default computers will be added to unassigned computer group in WSUS

Wuauclt /registernow /detectnow     to recheck WSUS on Computers
0
 
LVL 1

Author Comment

by:vmich
ID: 41847107
David,
Two things.
First do I run that command (wuauclt)you gave on the pc at the dos prompt because when I run it, it looks like it runs but I never see anything come up or do I run that on the SUS server?

Ok I see on our network appliance that the other day there was about 450 request going out to
au.ds.windowsupdates.com
This should not be since it appears the  pc look as if they are talking with our SUS server.
Any idea what this means?
0
 
LVL 7

Expert Comment

by:No More
ID: 41847114
Wuauclt /registernow /detectnow  this comomand    won't show output, as it's just to make sure, that Computers are using WSUS as a source of updates

You are sorted

But, I would suggest, to set it for GPO options in some stage, in case you need to control / manage specific updates to certain groups / departments
0
 
LVL 1

Author Comment

by:vmich
ID: 41848229
David,
Sorry to bother you again with this but I found in our GPO yesterday that there is two GPOs one for computers and one for servers and they are named SCE Managed Group Policy Computers and
SCE Managed Group Policy Servers. We did not create these so I am wondering if this Is this what is created if you have the selection in computers for use the update service console?
When I check one of the pc's, it does show our SUS server name that it appears to be using.
0
 
LVL 7

Expert Comment

by:No More
ID: 41848235
I would say WSUS created these groups for it self, I actually never ran WSUS in setup what you have, I always had full GPO control.
0
 
LVL 1

Author Closing Comment

by:vmich
ID: 41854280
create groups in wsus and setup in GP
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A hard and fast method for reducing Active Directory Administrators members.
In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
This Micro Tutorial will teach you how to the overview of Microsoft Security Essentials. This is a free anti-virus software that guards your PC against viruses, spyware, worms, and other malicious software. This will be demonstrated using Windows…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question