Solved

Need to have users computers get their windows updates from our SUS server

Posted on 2016-10-17
17
48 Views
Last Modified: 2016-10-21
I have a SUS server setup and now I need to know where in the Group Policy I can push out to all of the users computers, so that they they get their updates from our SUS server and not from Microsoft site..
Can anyone tell me where this is on the Group Policy and what I need to set?
0
Comment
Question by:vmich
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
17 Comments
 
LVL 22

Expert Comment

by:yo_bee
ID: 41846675
Check to see if you have Computer Configuration\Administrative Templates\Windows Components\Windows Update..  If not you will need to download the ADM file and add it to your GP.
 
Here is the TechNet that you should follow.
You will need to add WSUS ADM file to your system
https://msdn.microsoft.com/en-us/library/dd939933(v=ws.10).aspx
https://technet.microsoft.com/en-us/library/cc720539(v=ws.10).aspx
0
 
LVL 16

Expert Comment

by:Ivan
ID: 41846676
Hi,

settings can be found in Computer Configuration --> Policies --> Administrative Templates --> Windows Componenets --> Windows Update
In there, 2 options that you must set are:
1. Configure Automatic Updates
2. Specify intranet Microsoft Update service location --> this is your wsus server

You can off course configure additional options, but those 2 are must.

Regards,
Ivan.
0
 
LVL 7

Accepted Solution

by:
No More earned 500 total points
ID: 41846687
You need to create groups on WSUS server, 1 group for user computers and 1 for servers

Then Group policy:

Computer Policy\Administrative Templates\Windows Components\Windows Update

1, Specify Intranet Microsoft Update Service Location     \\yourWSUSserver
2, Enable Client-Side Targeting       Users computers   (Set up on WSUS)

There are few more options , which are up to you
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 
LVL 1

Author Comment

by:vmich
ID: 41846698
can this be done also just via the SUS server and not via the GP or does it have to be setup in the GP also?
0
 
LVL 7

Expert Comment

by:No More
ID: 41846703
Group Policy  has to be set / aplied to computers to make this work
0
 
LVL 1

Author Comment

by:vmich
ID: 41846715
Ok just so I am 100% sure on this, even though I setup the SUS side and have computers showing up in there, I have to still enable the GP piece also for this to work correct, not just setting up the SUS side correct?
0
 
LVL 7

Expert Comment

by:No More
ID: 41846725
Specify Intranet Microsoft Update Service Location = Is a must
this tuns on "Download Updates From Wsus"
0
 
LVL 1

Author Comment

by:vmich
ID: 41846728
Ok will check it out.
Thanks
0
 
LVL 7

Expert Comment

by:No More
ID: 41846730
Also don't forget It will download only those updates you Aprove
0
 
LVL 1

Author Comment

by:vmich
ID: 41846738
Ok
0
 
LVL 1

Author Comment

by:vmich
ID: 41847049
David,
Just an update..
I have checked a couple computers and they do have the registry entry(WUServer and WUStatusserver) with the name of our SUS server on them but we don't have anything setup via GPO just via the SUS server itself.
Also when I check the computer policy on these same computers, they don't show anything enabled meaning nothing from a GP.
Is there anyway to tell if these workstations are getting their updates via Microsoft web site and not our SUS?
0
 
LVL 7

Expert Comment

by:No More
ID: 41847083
I actually think by default it's that way unless you change settings in WSUS

WSUS : Options - Computer

By default computers will be added to unassigned computer group in WSUS

Wuauclt /registernow /detectnow     to recheck WSUS on Computers
0
 
LVL 1

Author Comment

by:vmich
ID: 41847107
David,
Two things.
First do I run that command (wuauclt)you gave on the pc at the dos prompt because when I run it, it looks like it runs but I never see anything come up or do I run that on the SUS server?

Ok I see on our network appliance that the other day there was about 450 request going out to
au.ds.windowsupdates.com
This should not be since it appears the  pc look as if they are talking with our SUS server.
Any idea what this means?
0
 
LVL 7

Expert Comment

by:No More
ID: 41847114
Wuauclt /registernow /detectnow  this comomand    won't show output, as it's just to make sure, that Computers are using WSUS as a source of updates

You are sorted

But, I would suggest, to set it for GPO options in some stage, in case you need to control / manage specific updates to certain groups / departments
0
 
LVL 1

Author Comment

by:vmich
ID: 41848229
David,
Sorry to bother you again with this but I found in our GPO yesterday that there is two GPOs one for computers and one for servers and they are named SCE Managed Group Policy Computers and
SCE Managed Group Policy Servers. We did not create these so I am wondering if this Is this what is created if you have the selection in computers for use the update service console?
When I check one of the pc's, it does show our SUS server name that it appears to be using.
0
 
LVL 7

Expert Comment

by:No More
ID: 41848235
I would say WSUS created these groups for it self, I actually never ran WSUS in setup what you have, I always had full GPO control.
0
 
LVL 1

Author Closing Comment

by:vmich
ID: 41854280
create groups in wsus and setup in GP
0

Featured Post

Secure Your Active Directory - April 20, 2017

Active Directory plays a critical role in your company’s IT infrastructure and keeping it secure in today’s hacker-infested world is a must.
Microsoft published 300+ pages of guidance, but who has the time, money, and resources to implement? Register now to find an easier way.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Last week, our Skyport webinar on “How to secure your Active Directory” (https://www.experts-exchange.com/videos/5810/Webinar-Is-Your-Active-Directory-as-Secure-as-You-Think.html?cid=Gene_Skyport) provided 218 attendees with a step-by-step guide for…
This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question