After installing and configuring the WSUS server role, the next step is to configure GPO settings to determine how WSUS clients will receive the updates. WSUS Groups helps in the grouping of computers so specific updates can be added to it. The recommended practice as per Microsoft is we must create at least one computer group in the WSUS console. The default option on WSUS has 2 groups and each computer is already assigned to the All Computers group.
All Computers: This group registers computer accounts when they contact the WSUS server and this group should not be populated manually.
Unassigned computers: This group is not assigned to other groups by the WSUS Administrator.
Create a new computer group in the WSUS console
1- Under Option, Choose Computer and choose Use Group Policy or registry settings on computers.
2- Right Click on All Computers and then choose Add Computer Group.
4- In Group Name, type a name as Windows 10
5- Our new group is listed as shown
6- Open Group Policy Management and under our OU, select Create a GPO in this domain and link it here. We will apply GPO to a specific OU and patch the servers.
7- Give the gpo a name
8- Right-click on the GPO name and then select Edit
9- Navigate to Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update.
10- Under Windows Update, locate “Specify Intranet Microsoft Update Service Location” and type our WSUS server name http://virt-wsus-01.ash.local:8530 with the port number 8530 and under the intranet statistics server, add http://virt-wsus-01.ash.local:8531.
11- Double-click on the Configure Automatic Updates policy and set Configure automatic update, Choose a schedule set policy as enabled
12- Configure the schedular and then click ok.
13 – The next setting we need is the “Automatic Update Detection Frequency” policy that specifies how long to wait before checking for available updates.
14 – The next setting we need is the “Automatic Update Detection Frequency” policy that specifies how long to wait before checking for available updates.
Link the WSUS GPO to OU
15- Under AD Users and Computers I’ve added a few Organizational Units as shown.
16- Right-click our Windows 10 OU and select Link an existing GPO option to link the GPO to our OU.
17- Execute gpupdate /force to force GPO updates
18 – Run this command and then check the health of the WSUS server. Outputs can be obtained from the EventViewer.
"C:\Program Files\Update Services\Tools\WsusUtil.exe" checkhealth
19- Once our client establishes a connection to the WSUS server we will be able to see the virtual machines attached to our WSUS server in the unassigned computers tab.
20- Choose the unassigned computers tab, select the VM’s we need and choose change membership
21- Choose to place the two VM’s into the Windows 10 container.
22- Our 2 VM’s now appear inside the Windows 10 container.
23 – Under the All updates tab, select failed or needed, select all updates, and then right-click on the update you want to install and select approve.
24- Under our Windows 10 group, right-click and then select approved for installation.
25- During the next maintenance interval configured in the GPO, it will go about downloading and installing the Windows updates.
