Ensuring timely installation of updates in workgroups. Configuring WSUS clients using group policies Where in the registry are Windows updates

Automatic updates are an important functional feature of any operating system. Thanks to it, the computer receives important updates on time, making the system more stable and secure. In Windows 7, the function is activated initially. This means that if there is a connection with Microsoft servers, the update service checks for the availability of fresh packages, downloads them and installs them. Usually, all processes proceed virtually unnoticed by the user, but when constant offers to upgrade to 10 appear, this is already overkill.

Theoretically, there is no need to disable automatic downloading of updates. It is useful because it closes security gaps, optimizes the operation of the OS, and adds new features to it (regarding the “tens”). There is also a list of reasons why the auto-update service should be disabled:

  1. The user does not like that during the update the Internet speed drops and/or the PC cannot be turned off for a long time.
  2. The computer has expensive or limited wireless Internet.
  3. Problems after launching the updated OS.
  4. Failures during the installation of update packages.
  5. There is not enough space on the system volume to accommodate the increase in volume of Windows 7, which grows with each update.

Kinds

Still, before you disable the Windows 7 update, think about whether it is really necessary. In addition to deactivating the service, it can be switched to the following operating modes.

  1. Fully automatic - operations proceed without user intervention, only notifying the user that the installation of packages is complete.
  2. Searches and downloads the latest fixes on a schedule, and the installation of packages is carried out by the user.
  3. Automatic checking and notifying the user about the availability of updates.
  4. Self-update is disabled. Everything is done manually.

Options are selected in the Update Center component.

Disconnection methods

The settings of any Windows are stored in its registry. You can access the key responsible for the Update Center settings in several simple and a couple more complex ways. Let's look at them all.

Change Update Center settings

Let's start by setting up the service for ourselves. To access the configuration interface, you need to open the “Update Center” using one of the following methods.

System

  1. Through the context menu of My Computer, call up its “Properties”.
  1. In the left vertical menu, click on the corresponding link located at the bottom of the window.

  1. Go to the “Control Panel”.
  2. Open the “System, Security” section.
  1. Call the element of the same name.

If control panel items are rendered as icons rather than categories, a link to the item will appear in the main window.

  1. So, after getting into the desired window, click “Settings parameters”.
  1. Move to the “Important updates” section and select the appropriate option from the drop-down list.

The only way to completely disable receiving updates on a computer with Windows 7 is to stop the service.

Disabling the service

Management of services in the “seven” occurs through:

  • direct editing of registry keys, which is very inconvenient;
  • third-party programs for configuring the OS (we’ll skip this option);
  • MMC console snap-in;
  • system configuration;
  • command line;
  • Group Policy Editor (present in Windows 7 Ultimate, Enterprise).

Removing a service from autostart

The fastest way to disable updates is through the system configurator.

  1. Execute “msconfig” in the command interpreter window, which will open after holding down the Win + R keys or clicking on the “Run” button in Start.
  1. Go to the “Services” tab.
  2. Find “Windows Update” (maybe Windows Update) and uncheck the box next to it.
  1. Save the new settings.

Until the end of the current session, the service will work, properly performing the tasks assigned to it. To apply the new configuration, Windows 7 must be rebooted.

Let's use the MMC console snap-in

The system console snap-in of the same name provides access to managing all services on the PC. It starts like this.

  1. Open the context menu of the “My Computer” directory.
  2. Call the “Manage” command.
  1. In the left vertical menu, expand the “Services and Applications” item. Next, click on the “Services” link.

A simpler option for calling the same window would be to run the “services.msc” command through the “Run” dialog.

  1. Scroll to the very end of the list of services and open the “Properties” of the Windows Update service.
  1. In the “Startup type” drop-down list, select “Disabled” instead of “Automatic” in order to say goodbye to automatic updates forever. If you need to disable the service now, be sure to click “Stop”. Save the new settings with the “Apply” button and close all windows.

The PC does not need to be rebooted to apply the settings.

Group Policy Editor

Another MMC snap-in called the Local Group Policy Editor will help you configure any system parameter.

It is not available in the home edition of the Seven!

  1. The tool is launched by running the “gpedit.msc” command through the “Run” window.
  1. In the “PC Configuration” subsection, expand the “Administrative Templates” branch.
  1. Open “Windows Components” and look for Update Center.
  2. On the right side of the window we find a parameter whose name begins with “Setting auto-update”.
  3. Call up its settings.
  1. Move the checkbox to the “Disable” position and click “OK” to close the window and save the changes.

Let's use the command line

Through the command line, all the same operations are performed as using the graphical interface, and even more, but in text mode. The main thing is to know their syntax and parameters.

The “cmd” command is responsible for calling the command line.

  1. Open the command interpreter and execute it.


This article summarizes the methods known to me for fixing the WSUS agent.

1. The first script is the simplest, and, in fact, is not even used for treatment, but in order to forcefully run an update check, and, at the same time, cleans the folder in which distributions of already installed updates accumulate:

wsus_detect_manual.cmd

net stop wuauserv && net stop bits && net stop cryptsvc

net start wuauserv && net start bits && net start cryptsvc

wuauclt.exe /detectnow exit

2. The second script is needed in order to “revive” the idle WSUS service. It cleans out old updates, after which the SoftwareDistribution and Catroot2 folders are renamed, which will lead to their re-creation when the service is restarted. Then the system dll libraries are re-registered.

fix_wsus_service.cmd

net stop bits
net stop wuauserv
net stop cryptsvc

del /f /s /q %windir%\SoftwareDistribution\download\*.*

ren %systemroot%\System32\Catroot2 Catroot2.old
ren %systemroot%\SoftwareDistribution SoftwareDistribution.old

REM del /f /s /q %windir%\SoftwareDistribution\*.*

del /f /s /q %windir%\windowsupdate.log

%windir%\system32\regsvr32.exe /U /s %windir%\system32\vbscript.dll
%windir%\system32\regsvr32.exe /U /s %windir%\system32\mshtml.dll
%windir%\system32\regsvr32.exe /U /s %windir%\system32\msjava.dll
%windir%\system32\regsvr32.exe /U /s %windir%\system32\msxml.dll
%windir%\system32\regsvr32.exe /U /s %windir%\system32\actxprxy.dll
%windir%\system32\regsvr32.exe /U /s %windir%\system32\shdocvw.dll
%windir%\system32\regsvr32.exe /U /s %windir%\system32\wintrust.dll
%windir%\system32\regsvr32.exe /U /s %windir%\system32\initpki.dll
%windir%\system32\regsvr32.exe /U /s %windir%\system32\dssenh.dll
%windir%\system32\regsvr32.exe /U /s %windir%\system32\rsaenh.dll
%windir%\system32\regsvr32.exe /U /s %windir%\system32\gpkcsp.dll
%windir%\system32\regsvr32.exe /U /s %windir%\system32\sccbase.dll
%windir%\system32\regsvr32.exe /U /s %windir%\system32\slbcsp.dll
%windir%\system32\regsvr32.exe /U /s %windir%\system32\cryptdlg.dll
%windir%\system32\regsvr32.exe /U /s %windir%\system32\Urlmon.dll
%windir%\system32\regsvr32.exe /U /s %windir%\system32\Oleaut32.dll
%windir%\system32\regsvr32.exe /U /s %windir%\system32\msxml2.dll
%windir%\system32\regsvr32.exe /U /s %windir%\system32\Browseui.dll
%windir%\system32\regsvr32.exe /U /s %windir%\system32\shell32.dll
%windir%\system32\regsvr32.exe /U /s %windir%\system32\Mssip32.dll
%windir%\system32\regsvr32.exe /U /s %windir%\system32\atl.dll
%windir%\system32\regsvr32.exe /U /s %windir%\system32\jscript.dll
%windir%\system32\regsvr32.exe /U /s %windir%\system32\msxml3.dll
%windir%\system32\regsvr32.exe /U /s %windir%\system32\softpub.dll
%windir%\system32\regsvr32.exe /U /s %windir%\system32\wuapi.dll
%windir%\system32\regsvr32.exe /U /s %windir%\system32\wuaueng.dll
%windir%\system32\regsvr32.exe /U /s %windir%\system32\wuaueng1.dll
%windir%\system32\regsvr32.exe /U /s %windir%\system32\wucltui.dll
%windir%\system32\regsvr32.exe /U /s %windir%\system32\wups.dll
%windir%\system32\regsvr32.exe /U /s %windir%\system32\wups2.dll
%windir%\system32\regsvr32.exe /U /s %windir%\system32\wuweb.dll

%windir%\system32\regsvr32.exe /s %windir%\system32\vbscript.dll
%windir%\system32\regsvr32.exe /s %windir%\system32\mshtml.dll
%windir%\system32\regsvr32.exe /s %windir%\system32\msjava.dll
%windir%\system32\regsvr32.exe /s %windir%\system32\msxml.dll
%windir%\system32\regsvr32.exe /s %windir%\system32\actxprxy.dll
%windir%\system32\regsvr32.exe /s %windir%\system32\shdocvw.dll
%windir%\system32\regsvr32.exe /s %windir%\system32\wintrust.dll
%windir%\system32\regsvr32.exe /s %windir%\system32\initpki.dll
%windir%\system32\regsvr32.exe /s %windir%\system32\dssenh.dll
%windir%\system32\regsvr32.exe /s %windir%\system32\rsaenh.dll
%windir%\system32\regsvr32.exe /s %windir%\system32\gpkcsp.dll
%windir%\system32\regsvr32.exe /s %windir%\system32\sccbase.dll
%windir%\system32\regsvr32.exe /s %windir%\system32\slbcsp.dll
%windir%\system32\regsvr32.exe /s %windir%\system32\cryptdlg.dll
%windir%\system32\regsvr32.exe /s %windir%\system32\Urlmon.dll
%windir%\system32\regsvr32.exe /s %windir%\system32\Oleaut32.dll
%windir%\system32\regsvr32.exe /s %windir%\system32\msxml2.dll
%windir%\system32\regsvr32.exe /s %windir%\system32\Browseui.dll
%windir%\system32\regsvr32.exe /s %windir%\system32\shell32.dll
%windir%\system32\regsvr32.exe /s %windir%\system32\Mssip32.dll
%windir%\system32\regsvr32.exe /s %windir%\system32\atl.dll
%windir%\system32\regsvr32.exe /s %windir%\system32\jscript.dll
%windir%\system32\regsvr32.exe /s %windir%\system32\msxml3.dll
%windir%\system32\regsvr32.exe /s %windir%\system32\softpub.dll
%windir%\system32\regsvr32.exe /s %windir%\system32\wuapi.dll
%windir%\system32\regsvr32.exe /s %windir%\system32\wuaueng.dll
%windir%\system32\regsvr32.exe /s %windir%\system32\wuaueng1.dll
%windir%\system32\regsvr32.exe /s %windir%\system32\wucltui.dll
%windir%\system32\regsvr32.exe /s %windir%\system32\wups.dll
%windir%\system32\regsvr32.exe /s %windir%\system32\wups2.dll
%windir%\system32\regsvr32.exe /s %windir%\system32\wuweb.dll

net start bits
net start wuauserv
net start cryptsvc

wuauclt/detectnow

exit

3. This script is used in cases where the computer was recently cloned, or in cases where the computer never registered with WSUS. It differs from the previous one only in the penultimate line, in which authorization is reset and the identifier is regenerated. I'll just quote this line:

wsus_resetaut_detect_manual.cmd

wuauclt.exe /resetauthorization /detectnow

AU_Clean_SID.cmd

@echo on
net stop wuauserv
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v AccountDomainSid /f
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v PingID /f
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v SusClientId /f
net start wuauserv
wuauclt /resetauthorization /detectnow

5. Sometimes, in order for everything to work, you need to reinstall the WSUS agent. First you need to download the latest Windows Update Agent, and then install the appropriate edition

for x32 versions of Windows

windowsupdateagent30-x86.exe /wuforce

for x64 versions of Windows

windowsupdateagent30-x64.exe /wuforce

If you are a happy owner of Itanium, you can guess for yourself :-)

After installing the agent, you must reboot.

6. To “treat” errors 0x80070005, i.e. access errors, the script below may be useful. It restores administrator and system access to the registry and system folders.

To run this script you will need the Microsoft utility subinacl.exe. It is included in the resource kit for Windows Server 2003, but you should not use the version that is included there, because There are some nasty bugs there. You should download subinacl.exe version 5.2.3790.1180.

Restore_registry_and_system_permission.cmd

@echo off
REM Apply for errors 0x80070005 Windows Update
subinacl /subkeyreg HKEY_LOCAL_MACHINE /grant=administrators=f
subinacl /subkeyreg HKEY_CURRENT_USER /grant=administrators=f
subinacl /subkeyreg HKEY_CLASSES_ROOT /grant=administrators=f
subinacl /subdirectories %SystemDrive% /grant=administrators=f
subinacl /subkeyreg HKEY_LOCAL_MACHINE /grant=system=f
subinacl /subkeyreg HKEY_CURRENT_USER /grant=system=f
subinacl /subkeyreg HKEY_CLASSES_ROOT /grant=system=f
subinacl /subdirectories %SystemDrive% /grant=system=f

All these scripts can be executed almost automatically if problems arise. If, as a result, the problem is not solved, then you have to look into it more closely. And here we will need the same windowsupdate.log, which is in the root of the Windows folder. If the computer is problematic, then this file is large. For simplicity, it is advisable to remove it before running scripts. Almost all scripts provide a command to remove it, but not everything is so simple. Despite the stop of the wuauserv service, usually it continues to be open in IE, etc. Therefore, there is a tricky way. I'm launching

notepad.exe %windir%\windowsupdate.log

I select all the text, delete it and save it instead of the old file (don’t forget to change the file type to *.* in the save dialog, otherwise the default is *.txt)

It is worth noting that there are cases when it is not possible to force the client to update from wsus. I have precedents with a couple of Windows Server 2003 R2 that I have not been able to overcome. That's why I update them via the Internet :-)

Fresh operating systems such as Windows 7, Windows 2008 sometimes have difficulty starting. For such cases, empirically, an algorithm like:
1. Update for the first time from the Microsoft website with agent update
2. Then we update the agent locally
3. And then everything starts working

I hope that the fruits of our labors will help someone.

For simplicity, I post all these scripts in ready-made form:

Hello everyone, today a note more for myself, namely a list of Windows Update servers. Why might this be useful, for example, if you received an error Update not found when installing a WSUS role, or vice versa for some reason you want to ban them, to save traffic if you don’t have WSUS, since not all Windows updates are good and especially in in its modern versions, I think there is no point in reminding about the error, although this list can be continued for a very long time. The reason is not important, the main thing is to know that it exists and you can somehow work with it. Below I will show you methods for blocking Microsoft update server addresses, both universal, suitable for an individual computer, and for centralized management within an enterprise.

Why Windows updates won't install?

Here is a screenshot of the error if your Microsoft update server address is not available. As you can see, the error is not very informative. I get it on a server that plays the role of WSUS, for those who don’t remember what it is, then this is a local update center for enterprises, to save traffic, and this is where Windows updates are not installed due to the lack of availability of Microsoft servers.

What to do if Windows updates are not installed

  • First of all, you should check whether you have Internet, since its presence is mandatory for most people, unless of course you have an Active Directory domain and you download them from your WSUS
  • Next, if there is Internet, look at the error code, since it is by this that you need to look for information about solving the problem (from recent problems I can give an example of how Error 0x80070422 or Error c1900101 is solved), but the list can also be kept for a very long time.
  • We check on our proxy server whether there is a ban on the following Microsoft update server addresses.

The list of Microsoft update servers itself

  1. http://windowsupdate.microsoft.com
  2. http://*.windowsupdate.microsoft.com
  3. https://*.windowsupdate.microsoft.com
  4. http://crl.microsoft.com/pki/crl/products/MicProSecSerCA_2007-12-04.crl
  5. http://*.update.microsoft.com
  6. https://*.update.microsoft.com
  7. http://*.windowsupdate.com
  8. https://activation.sls.microsoft.com/
  9. http://download.windowsupdate.com
  10. http://download.microsoft.com
  11. http://*.download.windowsupdate.com
  12. http://wustat.windows.com
  13. http://ntservicepack.microsoft.com
  14. https://go.microsoft.com/
  15. http://go.microsoft.com/
  16. https://login.live.com
  17. https://validation.sls.microsoft.com/
  18. https://activation-v2.sls.microsoft.com/
  19. https://validation-v2.sls.microsoft.com/
  20. https://displaycatalog.mp.microsoft.com/
  21. https://licensing.mp.microsoft.com/
  22. https://purchase.mp.microsoft.com/
  23. https://displaycatalog.md.mp.microsoft.com/
  24. https://licensing.md.mp.microsoft.com/
  25. https://purchase.md.mp.microsoft.com/

With the development of the Internet, constantly updating the operating system has become commonplace. Now developers can fix and improve the system throughout its entire support period. But frequent Windows 10 updates are not always convenient. That's why it would be good to be able to turn them off.

Reasons for turning off automatic updates

The reasons may be very different, and only you can decide how much you need to disable updates. It is worth considering that along with improvements to certain capabilities, important fixes for system vulnerabilities are supplied. And yet, situations when independent updates should be disabled arise quite often:

  • paid Internet - sometimes the update is quite large and downloading it can be expensive if you pay for traffic. In this case, it is better to postpone the download and download later under other conditions;
  • lack of time - after downloading, the update will begin to install while the computer is turned off. This can be inconvenient if you need to quickly shut down work, such as on a laptop. But what’s even worse is that sooner or later Windows 10 will require you to restart your computer, and if you don’t do this, then after some time the restart will be forced. All this distracts and interferes with work;
  • security - although the updates themselves often contain important system changes, no one can ever foresee everything. As a result, some updates may open your system to virus attack, while others will simply break it right after installation. A reasonable approach in this situation is to update some time after the release of the next version, having previously studied the reviews.

Disable automatic Windows 10 updates

There are many ways to turn off Windows 10 updates. Some of them are very simple for the user, others are more complex, and others require the installation of third-party programs.

Disabling via Update Center

Using Update to disable it is not the best option, although Microsoft developers offer it as an official solution. You can actually turn off automatic downloading of updates through their settings. The problem here is that this solution will be temporary one way or another. The release of a major Windows 10 update will change this setting and bring back system updates. But we will still study the shutdown process:

After these changes, minor updates will no longer be installed. But this solution will not help you get rid of downloading updates forever.

In one of the previous articles we described the procedure in detail. After you have configured the server, you need to configure Windows clients (servers and workstations) to use the WSUS server to receive updates, so that the clients receive updates from the internal update server rather than from Microsoft Update servers over the Internet. In this article, we will walk through the procedure for configuring clients to use a WSUS server using Active Directory domain group policies.

AD Group Policies allow an administrator to automatically assign computers to different WSUS groups, eliminating the need to manually move computers between groups in the WSUS console and keep those groups up to date. Assignment of clients to different WSUS target groups is based on a registry label on the client (labels are set by Group Policy or by directly editing the registry). This type of assignment of clients to WSUS groups is called clientsidetargeting(Client-side targeting).

It is assumed that our network will use two different update policies - a separate update installation policy for servers ( Servers) and for workstations ( Workstations). These two groups need to be created in the WSUS console in the All Computers section.

Advice. The policy for how clients use the WSUS update server largely depends on the organizational structure of the OU in Active Directory and the organization's update installation rules. In this article, we will look at just a particular option that allows you to understand the basic principles of using AD policies to install Windows updates.

First of all, you need to specify a rule for grouping computers in the WSUS (targeting) console. By default, in the WSUS console, computers are manually distributed by the administrator into groups (server side targeting). We are not happy with this, so we will point out that computers are distributed into groups based on client side targeting (by a specific key in the client registry). To do this, in the WSUS console, go to the section Options and open the parameter Computers. Change the value to Use Group Policy or registry setting on computers(Use Group Policy or registry settings on computers).

You can now create a GPO to configure WSUS clients. Open the domain Group Policy Management console and create two new group policies: ServerWSUSPolicy and WorkstationWSUSPolicy.

WSUS Group Policy for Windows Servers

Let's start with a description of the server policy ServerWSUSPolicy.

Group policy settings responsible for the operation of the Windows Update service are located in the GPO section: ComputerConfiguration -> Policies-> Administrativetemplates-> WindowsComponent-> WindowsUpdate(Computer Configuration -> Administrative Templates -> Windows Components -> Windows Update).

In our organization, we expect to use this policy to install WSUS updates on Windows servers. It is expected that all computers covered by this policy will be assigned to the Servers group in the WSUS console. In addition, we want to prevent automatic installation of updates on servers when they are received. The WSUS client must simply download available updates to disk, display an alert for new updates in the system tray, and wait for an administrator to initiate installation (either manually or remotely using ) to begin installation. This means that productive servers will not automatically install updates and reboot without administrator approval (usually these works are performed by the system administrator as part of monthly scheduled maintenance). To implement such a scheme, we will set the following policies:

  • ConfigureAutomaticUpdates(Setting automatic update): Enable. 3 – Autodownloadandnotifyforinstall(Automatically download updates and notify you when they are ready to install)– the client automatically downloads new updates and notifies about their availability;
  • SpecifyIntranetMicrosoftupdateservicelocation(Specify intranet Microsoft Update location): Enable. Set the intranet update service for detecting updates: http://srv-wsus.site:8530, Set the intranet statistics server: http://srv-wsus.site:8530– here you need to specify the address of your WSUS server and statistics server (usually they are the same);
  • No auto-restart with logged on users for scheduled automatic updates installations(Do not automatically reboot when installing updates automatically if there are users running on the system): Enable– prohibit automatic reboot when there is a user session;
  • Enableclient-sidetargeting ( Allow client to join target group): Enable. Target group name for this computer: Servers– in the WSUS console, assign clients to the Servers group.

Note. When setting up an update policy, we recommend that you carefully familiarize yourself with all the settings available in each of the options in the GPO section WindowsUpdate and set the parameters that suit your infrastructure and organization.

WSUS Update Installation Policy for Workstations

We assume that updates on client workstations, in contrast to the server policy, will be installed automatically at night immediately after receiving updates. After installing updates, computers should reboot automatically (warning the user 5 minutes in advance).

In this GPO (WorkstationWSUSPolicy) we specify:

  • AllowAutomaticUpdatesimmediateinstallation(Allow immediate installation of automatic updates): Disabled- prohibition on immediate installation of updates when they are received;
  • Allownon-administratorstoreceiveupdatenotifications(Allow non-admin users to receive update notifications): Enabled- display a warning to non-administrators about new updates and allow their manual installation;
  • Configure Automatic Updates:Enabled. Configure automatic updating: 4 - Auto download and schedule the install. Scheduled install day: 0 - Everyday. Scheduled install time: 05:00 – when new updates are received, the client downloads them to the local cache and schedules their automatic installation at 5:00 am;
  • Target group name for this computer: Workstations– in the WSUS console, assign the client to the Workstations group;
  • No auto-restart with logged on users for scheduled automatic updates installations: Disabled- the system will automatically reboot 5 minutes after the update installation is completed;
  • Specify Intranet Microsoft update service location: Enable. Set the intranet update service for detecting updates: http://srv-wsus.site:8530, Set the intranet statistics server: http://srv-wsus.site:8530–address of the corporate WSUS server.

On Windows 10 1607 and above, even though you have told them to get updates from internal WSUS, they may still try to contact Windows Update servers on the Internet. This "feature" is called DualScan. To disable receiving updates from the Internet, you must additionally enable the policy DonotallowupdatedeferralpoliciestocausescansagainstWindowsUpdate ().

Advice. To improve the “level of patching” of computers in an organization, both policies can be configured to force the start of the update service (wuauserv) on clients. To do this, in the section Computer Configuration -> Policies-> Windows Settings -> Security Settings -> System Services Find the Windows Update service and set it to start automatically ( Automatic).

Assigning WSUS policies to Active Directory OUs

The next step is to assign the created policies to the appropriate Active Directory containers (OUs). In our example, the OU structure in the AD domain is as simple as possible: there are two containers – Servers (it contains all the organization’s servers, in addition to domain controllers) and WKS (Workstations – user computers).

Advice. We are considering only one fairly simple option for binding WSUS policies to clients. In real organizations, it is possible to bind one WSUS policy to all computers in a domain (a GPO with WSUS settings is attached to the root of the domain), to distribute different types of clients across different OUs (as in our example - we created different WSUS policies for servers and workstations), in large distributed domains can be linked, or assigned GPOs based on, or a combination of the above methods.

To assign a policy to an OU, click on the desired OU in the Group Policy Management Console and select the menu item Link as Existing GPO and select the appropriate policy.

Advice. Do not forget about a separate OU with domain controllers (Domain Controllers); in most cases, the WSUS “server” policy should be assigned to this container.

In exactly the same way, you need to assign the WorkstationWSUSPolicy policy to the AD WKS container in which Windows workstations are located.

All that remains is to update group policies on clients to bind the client to the WSUS server:

All Windows update system settings that we set using group policies should appear in the client registry in the branch HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate.

This reg file can be used to transfer WSUS settings to other computers that cannot configure update settings using GPO (computers in a workgroup, isolated segments, DMZ, etc.)

Windows Registry Editor Version 5.00

"WUServer"="http://srv-wsus.site:8530"
"WUStatusServer"="http://srv-wsus.site:8530"
"UpdateServiceUrlAlternate"=""
"TargetGroupEnabled"=dword:00000001
"TargetGroup"="Servers"
"ElevateNonAdmins"=dword:00000000

"NoAutoUpdate"=dword:00000000 –
"AUOptions"=dword:00000003
"ScheduledInstallDay"=dword:00000000
"ScheduledInstallTime"=dword:00000003
"ScheduledInstallEveryWeek"=dword:00000001
"UseWUServer"=dword:00000001
"NoAutoRebootWithLoggedOnUsers"=dword:00000001

It is also convenient to control the applied WSUS settings on clients using rsop.msc.

And after some time (depending on the number of updates and the bandwidth of the channel to the WSUS server), you need to check in the tray for pop-up notifications about the presence of new updates. Clients should appear in the WSUS console in the appropriate groups (the table displays the client name, IP, OS, the percentage of them “patched” and the date of the last status update). Because We have assigned computers and servers to various WSUS groups by policies; they will only receive updates approved for installation in the corresponding WSUS groups.

Note. If updates do not appear on the client, it is recommended to carefully examine the Windows Update Service log on the problematic client (C:\Windows\WindowsUpdate.log). Please note that Windows 10 (Windows Server 2016) uses . The client downloads updates to the local folder C:\Windows\SoftwareDistribution\Download. To start searching for new updates on the WSUS server, you need to run the command:

wuauclt/detectnow

Also, sometimes you have to forcefully re-register the client on the WSUS server:

wuauclt /detectnow /resetAuthorization

In particularly difficult cases, you can try to fix the wuauserv service. If this occurs, try changing the frequency of checking for updates on the WSUS server using the Automatic Update detection frequency policy.

In the next article we will describe the features. We also recommend that you read the article between groups on a WSUS server.