6

Essentially I was wondering if it's possible to use the local gpedit.msc on Windows 7 and Windows Server 2008R2 machines to configure clients to use a workgroup based WSUS installation. With this - I would still like to ensure users can use Windows Update manually but the WSUS does the majority of the work!

Oliver Salzburg
  • 86,445
  • 63
  • 260
  • 306
PnP
  • 953
  • 2
  • 18
  • 30

1 Answers1

6

Registry

Please see the article Configure Automatic Updates in a Non–Active Directory Environment.

  1. You're going to want to set these registry keys to the URL for your WSUS server (for example: http://wsus.local):

    HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\WUServer
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\WUStatusServer

    Note: The key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate does not exist on a fresh installation of Windows 7. You will have to create it if it doesn't exist.

  2. Then create a new DWORD named UseWUServer in the following key and set it to 1:

    HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU

This should be enough to tell the system to use your local WSUS installation.

Please see the article linked above for further options in configuring the Windows Update behavior.

Example

These are the default settings a Windows Small Business Server 2010 will set: enter image description here enter image description here

Group Policy

It should also be noted that these settings are also accessible through the Local Group Policy Editor under Computer Configuration\Administrative Templates\Windows Components\Windows Update: enter image description here
click to enlarge

In the group policy editor, we can also see the group policy that may be used to restrict access to Windows Update for a user. This would allow installation only directly through WSUS approval and automatic installation (which would have to be configured): enter image description here
click to enlarge

Oliver Salzburg
  • 86,445
  • 63
  • 260
  • 306
  • Would that by default go ahead and use WSUS, but still allow manual Windows Update checks? – PnP Jun 27 '12 at 20:30
  • @TheD: It should. The access to Microsofts own update servers would have to be disabled separately. – Oliver Salzburg Jun 27 '12 at 20:32
  • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\WUServer HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\WUStatusServer - Do I need to create these keys and folders? They don't exist in my Win7 box ? – PnP Jun 27 '12 at 20:52
  • @TheD: The part up until `Microsoft\Windows` should exist, otherwise I would be a bit confused. If the *folder* `WindowsUpdate` does not exist, create it. – Oliver Salzburg Jun 27 '12 at 20:58
  • Sorry yes, should of been more specific with that! Yeah, it's just the WindowsUpdate which doesn't. Cheers! – PnP Jun 27 '12 at 20:59
  • Many thanks again for the very detailed answer, I wish I could rate it twice! – PnP Jun 27 '12 at 21:04
  • It's been about 10mins now, my machine's dont appear to be checking into WSUS, even after a restart? – PnP Jun 27 '12 at 21:14
  • @TheD: To make sure your clients are using the correct server and aren't having any issues, check `%WINDIR%\WindowsUpdate.log` (be sure to start at the end). Also, I still remember my own WSUS issues vividly: http://serverfault.com/questions/390639/should-my-wsus-provide-update-information-before-it-is-fully-synchronized If you need more help, find me on [chat] :) – Oliver Salzburg Jun 27 '12 at 21:18
  • It takes days (1 to 10) for WSUS clients to start working properly, just be patient – TFD Jul 28 '15 at 00:36